b'                                                                             Report No. DODIG-2014-094\n\n\n\n              I nspec tor Ge ne ral\n                                                U.S. Department of Defense\n\n              J u ly 1 7 , 2 0 1 4\n\n\n\n\n                     Approaches for Establishing\n                     Fraud Risk Assessment Programs\n                     and Conducting Fraud Audit\n                     Risk Assessments Within the\n                     Department of Defense\n\n\n\n\nI n t e g r i t y \xef\x82\xab e f f i c i e n c y \xef\x82\xab a c c o u n ta b i l i t y \xef\x82\xab e x c e l l e n c e\n\x0c         I n t e g r i t y \xef\x82\xab e f f i c i e n c y \xef\x82\xab a c c o u n ta b i l i t y \xef\x82\xab e x c e l l e n c e\n\n\n\n\n                                            Mission\n      Our mission is to provide independent, relevant, and timely oversight\n      of the Department of Defense that supports the warfighter; promotes\n      accountability, integrity, and efficiency; advises the Secretary of\n                 Defense and Congress; and informs the public.\n\n\n\n                                              Vision\n      Our vision is to be a model oversight organization in the Federal\n      Government by leading change, speaking truth, and promoting\n      excellence\xe2\x80\x94a diverse organization, working together as one\n               professional team, recognized as leaders in our field.\n\n\n\n\n                                        Fraud, Waste & Abuse\n\n                                        HOTLINE\n                                        Department of Defense\n                                         dodig.mil/hotline | 8 0 0 . 4 2 4 . 9 0 9 8\n\n\n\n\nFor more information about whistleblower protection, please see the inside back cover.\n\x0c                                         Results in Brief\n                                         Approaches for Establishing Fraud Risk Assessment\n                                         Programs and Conducting Fraud Audit Risk Assessments\n                                         Within the Department of Defense\n\n\nJuly 17, 2014                                               What We Found (cont\xe2\x80\x99d)\n                                                            Fraud risk assessment approaches developed by the Marine\nObjective                                                   Corps Nonappropriated Funds Audit Service; Army and Air\nThe objective of the review was to identify                 Force Exchange Service, Audit Division; and the Army Audit\napproaches for establishing fraud risk                      Agency are highlighted within this report. Additionally,\nassessment programs and conducting fraud                    entity-wide fraud risk assessment approaches developed by\nrisk assessments within the DoD. The review                 the DoD Investigative Organizations; Naval Exchange Service\nfocused on various DoD activities including                 Command, Office of Internal Audit; and the Naval Sea Systems\nprocurement, retail, and financial operations.              Command Office of the Inspector General are also discussed\n                                                            in detail. The report also contains information on auditor and\n                                                            entity-wide fraud risk assessment approaches developed by\nWhat We Found                                               external DoD organizations.\nWe identified numerous innovative approaches\nfor conducting fraud risk assessments.                      We used documentation obtained from the subject matter\nOf the 33 DoD organizations we interviewed,*                experts to develop example documents included in the report\n13 were conducting entity-wide risk                         Appendixes. Example documents include audit organization\nassessments, 26 were conducting fraud risk                  fraud risk assessment policies, financial statement audit\nassessments when performing audit-related                   fraud interview questionnaire, and an entity-wide fraud risk\nwork, 23 were providing fraud awareness                     assessment report. The report also provides information on\ntraining, and 3 were concentrating on                       auditor fraud brainstorming and interviewing techniques and\ninternal control evaluations.                               DoD fraud case study examples.\n\nDoD entities are encouraged to modify\nany of the described approaches to suit                     Management Comments and\ntheir specific mission, size, and fraud                     Our Response\nvulnerabilities.   The   approaches    were\n                                                            We have incorporated draft report comments received from\ndeveloped through research and interviews\n                                                            the Commander, Naval Sea Systems Command; Naval Audit\nwith     100     subject   matter    experts\n                                                            Service; Defense Health Agency; Defense Information\nrepresenting DoD organizations, academic\n                                                            Systems Agency, Office of the Inspector General; Air Force\ninstitutions,    private  companies,    and\n                                                            Office of Special Investigations; and Board of Regents\nnonprofit organizations.\n                                                            of the University System of Georgia. No further comments\n                                                            are required.\n\n\t*\t\n      For some DoD organizations, more than one component\n      participated in this review.\n\n\n\n\nVisit us at www.dodig.mil\n\n\n                                                                               DODIG-2014-094 (Project No. D2012-DAPOIA-0227.000) \xe2\x94\x82 i\n\x0c\x0cDistribution:\n\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nCommandant of the Marine Corps\nDirector, Defense Commissary Agency\nDirector, Defense Contract Management Agency\nDirector, Defense Finance and Accounting Service\nDirector, Defense Information Systems Agency\nDirector, Defense Logistics Agency\nDirector, Missile Defense Agency\nDirector, Tricare Management Activity\nNaval Inspector General\nAuditor General, Department of the Army\nAuditor General, Department of Navy\nAuditor General, Department of the Air Force\n\n\n\n\n                                                                              DODIG-2014-094 \xe2\x94\x82 iii\n\x0c                  Contents\n                  Introduction\n                  Objective__________________________________________________________________________________________1\n                  Background_______________________________________________________________________________________1\n\n                  Successful Brainstorming for Auditors______________________________ 10\n                  American Accounting Association Top Seven Brainstorming Practices___________________ 12\n                  Grant Thornton, LLP, Fraud Brainstorming Approaches for Auditors_____________________ 12\n                  TDoD Fraud Brainstorming Approaches_____________________________________________________ 17\n\n                  DoD Audit Organizations\xe2\x80\x99 Approaches for Performing\n                  Fraud Risk Assessments_______________________________________________________ 18\n                  Marine Corps Nonappropriated Funds Audit Service Fraud Risk\n                     Assessment Approach_____________________________________________________________________ 18\n                  Army and Air Force Exchange Service, Audit Division, Fraud Risk\n                     Assessment Approach_____________________________________________________________________ 22\n                  Army Audit Agency Fraud Risk Assessment Approach _____________________________________ 29\n                  Summary of DoD Audit Organizations\xe2\x80\x99 Approaches for Conducting Fraud\n                     Risk Assessments__________________________________________________________________________ 34\n\n                  Auditor Fraud Risk Assessment\n                  Special Considerations_ ________________________________________________________ 35\n                  Special Fraud Risk Considerations When Auditing Health Care Organizations __________ 35\n                  Special Fraud Risk Considerations When Auditing Government Contracts_______________ 36\n\n\n\n\niv \xe2\x94\x82 DODIG-2014-094\n\x0cContents (cont\xe2\x80\x99d)\nApproaches for Conducting Entity-Wide\nFraud Risk Assessments_______________________________________________________ 37\nFraud Risk Assessment Benefits for DoD Organizations____________________________________ 37\nDoD Investigative Organizations\xe2\x80\x99 Fraud Risk Assessment Approaches____________________ 39\nNavy Exchange Service Command Fraud Risk Assessment Approach_____________________ 40\nNaval Sea Systems Command Fraud Mitigation Framework_ ______________________________ 44\nNAVSEA, Office of Inspector General, Contract Fraud Risk Assessment and\n   Mitigation Branch, Fraud Risk Assessment Approach__________________________________ 47\nProfessional Organization Guidance on Managing the Business Risk of Fraud___________ 49\nAustralian National Audit Office Fraud Risk Management Process________________________ 55\nAustralian National Audit Office Fraud Risk Assessment Approach _______________________ 57\nAssociation of American Medical Colleges __________________________________________________ 58\nSmart Insights, LLC Fraud Risk Assessment Approach_____________________________________ 62\nTexas Tech Fraud Risk Assessment Approach_______________________________________________ 63\nGrant Thornton Approach for Enterprise Risk Management_______________________________ 67\nGrant Thornton Fraud Risk Assessment Approach__________________________________________ 70\nSummary of Entity-Wide Approaches for Conducting Fraud Risk Assessments__________ 72\n\nSummary of DoD and External Organizations\xe2\x80\x99 Fraud\nInitiatives_________________________________________________________________________________ 74\nDoD Entities and External Organizations\xe2\x80\x99 Fraud Risk Assessment Approaches, Fraud\n   Awareness Training, and Internal Control Evaluations ________________________________ 74\nDepartment of Defense________________________________________________________________________ 77\nDepartment of the Army_ _____________________________________________________________________ 84\nDepartment of the Navy_______________________________________________________________________ 84\nDepartment of the Air Force__________________________________________________________________ 88\nExternal Organizations________________________________________________________________________ 89\n\n\n\n\n                                                                                                    DODIG-2014-094 \xe2\x94\x82 v\n\x0c                  Contents (cont\xe2\x80\x99d)\n                  Appendixes\n                  Appendix A. Scope and Methodology_________________________________________________________ 93\n                  Appendix B. Example Naval Audit Service Performance Audit Fraud Risk Policy_ _______ 96\n                  Appendix C. Example Naval Audit Service Fraud Risk Assessment Work Paper_________104\n                  Appendix D. Example DoD OIG, Fraud Interview Questionnaire \xe2\x80\x93 Financial\n                     Statement Audit_ _________________________________________________________________________108\n                  Appendix E. Example IIA, AICPA, ACFE, Fraud Risk Assessment Framework____________110\n                  Appendix F. Example Smart Insights Group, LLC, Internal Control\n                     Evaluation Questionnaire________________________________________________________________114\n                  Appendix G. Example Grant Thornton Client Report and Heat Map______________________123\n                  Appendix H. Example NAVSEA, Office of the Inspector General, Contract Fraud Risk\n                     Assessment and Mitigation Branch, Organization Fraud Risk Assessment Report__131\n                  Appendix I. Procurement Fraud Personality Risk Profiles_________________________________138\n                  Appendix J. Organization Tool for Evaluating Fraud Control Program ___________________143\n                  Appendix K. Suggested Reading _____________________________________________________________146\n\n                  Acronyms and Abbreviations_____________________________________________148\n\n\n\n\nvi \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                            Introduction\n\n\nIntroduction\nObjective\nThe objective of the review was to identify approaches for establishing fraud risk\nassessment programs and conducting fraud audit risk assessments within the DoD.\nThe review focused on various DoD activities including procurement, retail, and\nfinancial operations. Information in this report should be used as a resource for\nDoD organizations interested in improving their current methods for assessing fraud\nrisk. The document also serves as a useful teaching tool to enhance auditors\xe2\x80\x99\nunderstanding of the fraud risk assessment process and educate DoD entities\nabout the value of entity-wide fraud risk assessment programs. Each of the risk\nassessment approaches presented can be modified to suit an organizations\xe2\x80\x99\nmission, size and specific fraud vulnerabilities.\n\n\nBackground\nFraud Risk Assessments Benefits for DoD\nFraud risk assessments help to mitigate the risk of fraud occurring within DoD\nprograms and operations.       To assist DoD\xe2\x80\x99s efforts to prevent, detect, and mitigate\nfraud, we identify approaches for conducting fraud risk assessments for DoD\nauditors   and    DoD    organizations.   We    also   describe   numerous   fraud   risk\nassessment approaches developed by DoD organizations. The suggested approaches\nwere obtained through interviews with 100 subject matter experts from within\nDoD, the public and private sectors, and published research (refer to Appendix A\nfor a list of organizations participating in this review). The technical experts\nrepresented 45 organizations located in 16 states and the District of Columbia.\nIndividuals contributing to this review included auditors, forensic auditors,\ninvestigators, attorneys, academics, and engineers. Additional information within\nthis document includes auditor fraud brainstorming and interviewing techniques,\nexample fraud risk assessment policies, and case study examples. Although we do\nnot endorse a specific approach, we are presenting a variety of models for\nDoD organizations and auditors to consider when evaluating fraud risk.\n\n\nSignificant Threat of Fraud Within DoD\nFraud within the DoD presents a significant threat to the organization\xe2\x80\x99s mission and\nefforts to ensure warfighter safety. Because of the size and complexity of DoD\nprograms and operations, opportunities to commit fraud are always present.\n\n\n\n\n                                                                                        DODIG-2014-094 \xe2\x94\x82 1\n\x0cIntroduction\n\n\n                 Advances in technology, along with the ongoing development of new fraud\n                 schemes, reinforces the need for DoD organizations to be continuously alert to\n                 fraud, perform periodic fraud risk assessments, and provide fraud awareness\n                 training to all employees. \xe2\x80\x85Fraud risk assessments benefit all organizations by offering\n                 a cost-effective method to evaluate fraud risks, identify entity-wide improvements,\n                 educate employees about fraud, and improve internal controls. Audit organization\n                 fraud risk assessments support DoD efforts to prevent and detect fraud through\n                 analyzing internal controls, considering fraud schemes and indicators, and\n                 developing recommendations for management to reduce the likelihood of fraud.\n\n                 Individuals     attempting    to   defraud   DoD       include   contractors,   subcontractors,\n                 civilian employees, and individual service members. Fraudulent activities range\n                 from complex procurement schemes to theft in retail operations. The following\n                 examples of recent fraud cases illustrate the challenges facing the Department:\n\n                         \xe2\x80\xa2\t A construction company paid a $2 million fine and $1.1 million to\n                               settle allegations of submitting false claims to the government.\n\n                         \xe2\x80\xa2\t DoD contractors and Navy employees were sentenced to pay more than\n                               $3 million for a widespread bribery and corruption scheme.\n\n                         \xe2\x80\xa2\t A pharmaceutical company paid $45 million to resolve criminal and\n                               civil allegations of drug misbranding.\n\n                         \xe2\x80\xa2\t A former Army Major was sentenced to 18 months in prison for a bribery\n                               scheme relating to DoD contracts in Kuwait.\n\n                 When organizations do not conduct periodic fraud risk assessments, they are often\n                 reactive when fraud occurs and are left to answer questions such as:\n\n                         \xe2\x80\xa2\t Why did this happen?\n\n                         \xe2\x80\xa2\t How did this happen?\n\n                         \xe2\x80\xa2\t How significant is the damage to our reputation?\n\n                         \xe2\x80\xa2\t What is the effect on the trust of the public, elected officials, and\n                               key stakeholders?\n\n                         \xe2\x80\xa2\t How can we prevent this from happening in the future?\n\n                         \xe2\x80\xa2\t Why did the auditors not alert management to internal control\n                               weaknesses and fraud vulnerabilities?\n\n\n\n\n2 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                                        Introduction\n\n\nDefinition of Fraud\nFraud is defined in various ways. The generally accepted government auditing\nstandards (GAGAS) describes fraud as:\n\n                  A type of illegal act involving the obtaining of something of value\n                  through willful misrepresentation. Whether an act is, in fact, fraud is\n                  a determination to be made through the judicial or other adjudicative\n                  system and is beyond the auditor\xe2\x80\x99s professional responsibility.\n\n\nBlack\xe2\x80\x99s law dictionary also describes fraud as:\n\n                  A knowing misrepresentation of the truth or concealment of a material\n                  fact to induce another to act to his or her detriment. 1\n\n\nDefinition of Fraud Risk Assessments\nIt is important for DoD organization\xe2\x80\x99s to understand the differences between\nenterprise-wide risk assessments and fraud risk assessments. Although both\napproaches contain similarities, the objectives, outcomes, and benefits to an\norganization differ. Enterprise-wide risk assessments are focused on identifying\nrisks associated with achieving program goals, maximizing program performance,\nor future risks, such as reductions in budgets or personnel. In comparison, a fraud\nrisk assessment is an evaluation of potential instances of fraud that could impact\nan organization\xe2\x80\x99s ethics and compliance standards, business practice requirements,\nfinancial reporting integrity, and program goals and program performance.2\n\n\nAuditor Responsibility for Assessing Fraud Risk\nAuditors are required to assess the risk of fraud when conducting their work\nin accordance with GAGAS, American Institute of Certified Public Accounts (AICPA),\nand the Institute of Internal Auditors (IIA), International Professional Practices\nFramework. Auditing standards also require auditors to maintain their professional\nskepticism and remain alert to fraud indicators at all phases of an audit.\nTo maximize the benefit to DoD, fraud risk assessments should not be considered\nonly routine exercises, or just a way to document compliance with auditing\nstandards or internal policies and procedures. Instead, auditors should conduct\nrobust discussions about fraud indicators and schemes and in-depth analyses of\ninternal controls to identify weaknesses when conducting fraud risk assessments.\n\n\n\t1\t\n      Black\xe2\x80\x99s Law Dictionary, 9th edition, 2009.\n\t2\t\n      Pricewaterhouse Coopers, \xe2\x80\x9cA practical guide to risk assessment, How principles-based risk assessment enables\n      organizations to take the right risks,\xe2\x80\x9d 2008.\n\n\n\n\n                                                                                                                     DODIG-2014-094 \xe2\x94\x82 3\n\x0cIntroduction\n\n\n                 GAGAS\n                 The December 2011 Revision of GAGAS acknowledges the auditor\xe2\x80\x99s responsibility\n                 to assess fraud risk when conducting performance audits:\n\n                            In planning the audit, auditors should assess risks of fraud\n                            occurring that is significant within the context of the audit\n                            objectives. Audit team members should discuss among the team\n                            fraud risks, including factors such as individuals\xe2\x80\x99 incentives or\n                            pressures to commit fraud, the opportunity for fraud to occur, and\n                            rationalizations or attitudes that could allow individuals to commit\n                            fraud. Auditors should gather and assess information to identify\n                            risks of fraud that are significant within the scope of the audit\n                            objectives or that could affect the findings and conclusions.\n                            An attitude of professional skepticism in assessing these risks\n                            assists auditors in assessing which factors or risks could\n                            significantly affect the audit objectives.\n\n\n                 For financial statement audits, GAGAS incorporates the AICPA Statements on\n                 Auditing Standards. GAGAS establishes requirements for performing financial\n                 audits in addition to the requirements contained within the AICPA standards.\n                 Auditors should comply with these additional requirements, along with the\n                 Statements on Auditing Standards guidance when citing GAGAS in their reports.\n\n\n                 AICPA\n                 AICPA Auditing Standard, Section 316, \xe2\x80\x9cConsideration of Fraud in a Financial\n                 Statement Audit,\xe2\x80\x9d requires auditors to assess the risk of fraud. Members of the audit\n                 team should discuss the potential for material misstatement due to fraud through\n                 an exchange of ideas or brainstorming discussion. Additionally, when applying\n                 professional judgment to assess fraud risk, the following risk attributes should\n                 be considered.\n\n                         \xe2\x80\xa2\t The type of risk that may exist, that is, whether it involves fraudulent\n                            financial reporting or misappropriation of assets.\n\n                         \xe2\x80\xa2\t The significance of the risk, that is whether it is of a magnitude that\n                            could lead to result in a possible material misstatement of the\n                            financial statements\n\n                         \xe2\x80\xa2\t The likelihood of the risk, that is, the likelihood that it will result in a\n                            material misstatement in the financial statements\n\n\n\n\n4 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                         Introduction\n\n\n        \xe2\x80\xa2\t The pervasiveness of the risk, that is, whether the potential risk is\n           pervasive to the financial statements as a whole or specifically related to\n           a particular accounting assertion, financial statement accounts or types\n           of transactions.\n\nIIA, International Professional Practices Framework\nThe January 2013 version of the IIA, \xe2\x80\x9cInternational Professional Practices\nFramework, Performance Standards, Risk Assessment,\xe2\x80\x9d Section 2120A2, states that\nthe internal audit (IA) activity must evaluate the potential for the occurrence of\nfraud and how the organization manages fraud risk.\n\n\nFederal Organization\xe2\x80\x99s Responsibility for Minimizing the\nPotential for Waste, Fraud, and Mismanagement\nOffice of Management and Budget Circular A-123, \xe2\x80\x9cManagement\xe2\x80\x99s Responsibility\nfor Internal Control,\xe2\x80\x9d December 2004, states that management has a fundamental\nresponsibility to develop and maintain effective internal controls. Programs must\noperate and resources must be used consistent with agency missions, in compliance\nwith laws and regulations, and with minimal potential for waste, fraud, and\nmismanagement. Managers should define the control environment and then\nperform risk assessments to identify the most significant areas within that\nenvironment in which to place or enhance internal control. The risk assessment\nis a critical step in the process to determine the extent of controls. Management is\nthen responsible for redesigning or improving upon those controls. Management is\nalso responsible for communicating the objectives of internal control and ensuring\nthe organization is committed to sustaining an effective internal control environment.\n\n\nDoD Guidance on Safeguarding Against Waste, Fraud, Abuse\nand Mismanagement of Resources\nDoD Instruction, 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control Program Procedures,\xe2\x80\x9d\nMay 2013, assigns responsibility and prescribes procedures for the execution of\nthe program within the DoD. This guidance requires DoD employees to determine\nwhether a financial reporting material weakness is a significant deficiency, or\na combination of significant deficiencies, that results in more than a remote\nlikelihood that a material misstatement of the financial statements will not be\nprevented or detected. An internal control deficiency should be considered a material\nweakness if it significantly weakens established safeguards against waste, fraud,\nabuse, and mismanagement of resources.\n\n\n\n\n                                                                                     DODIG-2014-094 \xe2\x94\x82 5\n\x0cIntroduction\n\n\n                 Why Fraud Happens\n                 In 1950, Donald R. Cressey, a criminologist, examined why people commit fraud.\n                 Donald Cressey\xe2\x80\x99s work resulted in the development of the Fraud Triangle (see\n                 Figure 1), which uses the elements of opportunity, motivation, and rationalization\n                 to explain why people commit fraud. Organizations have limited control over\n                 fraudster\xe2\x80\x99s3 pressures and rationalizations. However, proactive steps can be taken\n                 to significantly reduce opportunities to commit fraud.4\n\n                 Figure 1. The Fraud Triangle\n\n\n\n\n                       Opportunity:                                                             Rationalization:\n                       \xef\x82\x9f Seizing opportunities                              Ra                  \xef\x82\x9f The fraud gain outweighs\n                                                                  y\n                                                              nit\n\n\n                         to commit the fraud\n                                                                              tio                 the possibility of detection\n                                                                                                \xef\x82\x9f Self-justi\xef\xac\x81cation for actions\n                                                          rtu\n\n\n\n                                                                                  na\n                                                                                     liza\n                                                       po\n                                                    Op\n\n\n\n\n                                                                                         tio\n                                                                                            n\n\n                                                                   Motive\n                                         Motive:\n                                         \xef\x82\x9f Motivation (perceived need or desire to commit\n                                           the fraud, can be personal or job related)\n                       Developed by Donald R. Cressey\n\n\n                 Opportunity\n                 Fraud is more likely to occur in organizations where\n                 there is a weak system of internal controls, poor\n                                                                                                              Research\n                 security over assets, little fear of exposure and                                        shows that some\n                 likelihood         of     detection,        or      unclear       policies             employees are totally\n                 regarding          acceptable        behavior.        The      Chartered              honest, some are totally\n                                                                                                         dishonest, but that\n                 Institute        of     Management           Accountants,          \xe2\x80\x9cFraud              many are swayed by\n                 risk management, A guide to good practice,\xe2\x80\x9d 2008,                                       the opportunity to\n                 states that, \xe2\x80\x9cResearch shows that some employees                                          commit fraud.\n                 are totally honest, some are totally dishonest, but that\n                 many are swayed by the opportunity to commit fraud.\xe2\x80\x9d\n\n                 \t3\t\n                       The definition of a fraudster is a person who commits fraud. Source: Dictionary.com\n                 \t4\t\n                       Donald R. Cressey, \xe2\x80\x9cOther People\xe2\x80\x99s Money,\xe2\x80\x9d Montclair: Patterson Smith 1973, and Naval Sea Systems Command, Office of\n                       Inspector General, Presentation, \xe2\x80\x9cAcquisition Fraud Awareness Training,\xe2\x80\x9d not dated.\n\n\n\n6 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                                    Introduction\n\n\nThere must be something to steal and a way to steal it. Anything of value is\nsomething to steal, including both DoD tangible assets such as inventory items,\nand intangible assets such as government patents and copyrights. Any weakness\nin a system, for example, lack of oversight, provides opportunities to steal from DoD.\nOf the three elements of the Fraud Triangle, opportunity is often the most\nchallenging to detect, but is fairly easy to control through improvements to\ninternal controls and changes to policies or procedures.\n\n\nRationalization\nMany people obey the law because they believe in it and/or are afraid of being\nshamed or rejected by their friends and family if they are caught. However, some\npeople are able to rationalize fraudulent actions as:\n\n               \xe2\x80\xa2\t Necessary \xe2\x80\x93 especially when done for the organization,\n\n               \xe2\x80\xa2\t Harmless \xe2\x80\x93 because the victim is large enough to absorb the impact, or\n\n               \xe2\x80\xa2\t Justified \xe2\x80\x93 because the victim deserved it or because they were mistreated.5\n\nThere are two aspects of rationalization: One, the fraudster concludes that the gain\nto be realized from fraudulent activities outweighs the possibility for detection.\nTwo, the fraudster needs to justify committing the fraud. Justification can relate to\njob dissatisfaction or perceived entitlement, or saving one\xe2\x80\x99s family, possessions, or\nstatus. Rationalization is usually detected by observing the fraudster\xe2\x80\x99s comments\nor attitudes.6\n\n\nMotive\nIn simple terms, motivation is based on either greed or need. Many people are\nfaced with the opportunity to commit fraud, and only a minority of the greedy or\nneedy do so. In general, greed is the number one cause for fraud along with\nproblems with debt and gambling. Personality and temperament, including how\nfrightened people are about the consequences of taking risks also influences\ntheir decisions. Some people with good principles fall into negative behavior\npatterns and develop tastes for the fast life, which tempts them to commit fraud.\nOthers are motivated only when faced with personal and professional ruin.7\n\n\n\n\n\t5\t\n       Chartered Institute of Management Accountants, \xe2\x80\x9cFraud risk management, A guide to good practice,\xe2\x80\x9d 2008.\n\t6\t\n       Naval Sea Systems Command, OIG, Presentation, \xe2\x80\x9cAcquisition Fraud Awareness Training,\xe2\x80\x9d not dated.\n\t 7\t\n       Chartered Institute of Management Accountants, \xe2\x80\x9cFraud risk management, A guide to good practice,\xe2\x80\x9d 2008.\n\n\n\n\n                                                                                                                 DODIG-2014-094 \xe2\x94\x82 7\n\x0cIntroduction\n\n\n                 Case study examples of DoD specific frauds are discussed in Figures 2 and 3.\n                 The examples are for illustrative purposes and highlight the presence of\n                 motivation, opportunity, and rationalization in each fraud scheme.\n\n                 Figure 2. Case Study-Disclosure of Information\n\n\n                                 Motivation, Opportunity and Rationalization in DoD\n                                 Improper Selection of Source Selection Information\n\n                     Case Facts \xe2\x80\x93 A DoD employee responsible for assisting the contracting officer\n                     with funding, performance, and technical issues relating to a DoD program\n                     admitted to Federal investigators that he disclosed contractor bid and source\n                     selection information to a company bidding on a new contract. The employee\n                     gave the company the information so they would have a competitive\n                     advantage during contract biding.\n\n                     Motivation \xe2\x80\x93 In exchange for the information, the company provided the\n                     employee with a new car.\n\n                     Opportunity \xe2\x80\x93 The contracting officer was overwhelmed with their workload\n                     and paid little attention to contract awards less than $3 million.\n\n                     Rationalization \xe2\x80\x93 The employee had been passed over for promotion several\n                     times and believed he was mistreated and not valued by DoD.\n\n                     Outcome \xe2\x80\x93 The employee was prosecuted in Federal court and received a\n                     maximum sentence of 20 years in prison and a fine of $250,000.\n\n\n\n\n8 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                Introduction\n\n\nFigure 3. Case Study-Trafficking Counterfeit Parts and Money Laundering\n\n\n              Motivation, Opportunity and Rationalization in DoD\n                              Counterfeit Parts\n\n  \xe2\x80\x9cI have to buy China and risk fake parts to compete. \xe2\x80\xa6It\xe2\x80\x99s my biz.\xe2\x80\x9d Fraudster Instant\n  Message, 2008\n\n  Case Facts \xe2\x80\x93 During a 5-year period, a DoD parts supplier purchased counterfeit\n  semiconductors from sources in Hong Kong and China. The individual went to\n  great lengths to conceal the true origin of the parts and sold them as legitimate\n  and reliable components for use in submarines and complex machinery.\n\n  Motivation \xe2\x80\x93 The supplier was motivated by money. Through the sale of about\n  14,000 counterfeit parts, they were paid several million dollars.\n\n  Opportunity \xe2\x80\x93 Counterfeit parts are difficult to detect once they enter the DoD\n  supply chain. Globalization of the supply chain has resulted in many suppliers receiving\n  goods from second- and third-tier suppliers. Quality assurance tests may not detect all\n  counterfeit parts because manufacturers are skilled at making parts appear authentic.\n\n  Rationalization \xe2\x80\x93 Because the scheme was successful over time, the fraudster\n  believed their chances of getting caught were minimal or nonexistent.\n\n  Outcome \xe2\x80\x93 The fraudster was indicted on eight counts that included\n  conspiring to traffic in counterfeit goods, conspiring to traffic in counterfeit\n  military goods, trafficking in counterfeit goods, and conspiring to commit wire\n  fraud and money laundering. When convicted, they were sentenced to 75 years\n  in Federal prison.\n\n\n\n\n                                                                                             DODIG-2014-094 \xe2\x94\x82 9\n\x0cSuccessful Brainstorming for Auditors\n\n\n                 Successful Brainstorming for Auditors\n                 Most approaches for conducting auditor fraud risk assessments require auditors\n                 to brainstorm fraud indicators and schemes associated with their audit objectives.\n                 American Accounting Association8 research shows that important tangible benefits\n                 are achieved through high-quality brainstorming sessions.9 In contrast, research also\n                 suggests that some engagement teams will incur the cost of brainstorming without\n                 receiving the intended benefits of the interaction. Quality brainstorming plays an\n                 important role in improving the link between auditors, fraud risk assessments, and\n                 their subsequent testing including the design of audit procedures. Figure 4 illustrates\n                 a model of audit teams\xe2\x80\x99 use of brainstorming in their consideration of fraud. This\n                 model is based on psychology and accounting research and the AICPA Statement\n                 on Auditing Standards Number 99, \xe2\x80\x9cConsideration of Fraud in a Financial Statement\n                 Audit\xe2\x80\x9d framework.\n\n                 Figure 4. Auditors\xe2\x80\x99 Use of Brainstorming in the Consideration of Fraud\n\n\n                                                     Brainstorming Quality\n\n\n\n                          Attendance and                     Brainstorming                        Engagement\n                          Communication                        Structure                           Team E\xef\xac\x80ort\n                                                              and Timing\n\n\n\n                          Fraud Risk                                                                  Fraud Risk Response\n                            Factors                                                                      (Audit Testing)\n                                                                Fraud Risk\n                           Incentives                          Assessment                                        Nature\n                         Opportunities                                                                           Sta\xef\xac\x83ng\n                        Rationalizations                                                                         Timing\n                                                                                                                  Extent\n\n\n\n\n                 \t 8\t\n                     The American Accounting Association is a voluntary organization of persons in accounting education and research that\n                     promotes worldwide excellence in accounting education, research and practice.\n                 \t9\t\n                     American Accounting Association, \xe2\x80\x9cAuditors\xe2\x80\x99 Use of Brainstorming in the Consideration of Fraud: Reports from the Field,\xe2\x80\x9d\n                     Joseph F. Brazel, North Carolina State University, Tina D. Carpenter, University of Georgia, J Gregory Jenkins,\n                     Virginia Polytechnic Institute and State University, 2010.\n\n\n\n\n10 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                  Successful Brainstorming for Auditors\n\n\nBrainstorming Quality\nBrainstorming quality is directly affected by team members\xe2\x80\x99 attendance and\ncommunication, structure and timing of the session, and engagement team effort.\nAs more members of the engagement team attend and participate in the\nbrainstorming session, there will be greater diversity and more sharing of\ninformation. This should improve the overall quality of the session and the\nresponsiveness of fraud judgments. The structure and timing of team discussions\nalso contributes to the quality of team judgments. Sessions held earlier in the planning\nprocess positively influence auditors\xe2\x80\x99 fraud judgments as the engagement team will\nhave more time to implement the ideas endorsed during the session. Engagement\nteam effort is another determinant of the quality of teams\xe2\x80\x99 brainstorming sessions.\nAuditors are encouraged to identify risks and potential audit responses prior to\nbrainstorming. These efforts should enhance each team member\xe2\x80\x99s involvement\nin the fraud audit process, augment their client-specific knowledge, and improve\ntheir contributions to the brainstorming session.\n\n\nFraud Risk Factors, Fraud Risk Assessment, Fraud\nRisk Response\nAICPA Statement on Auditing Standards Number 99, \xe2\x80\x9cConsideration of Fraud in\na Financial Statement Audit,\xe2\x80\x9d provides guidance to improve the likelihood that\nauditors will detect fraud using a multi-phase approach. First, auditors collect\ninformation related to the risk of material misstatement due to fraud. Using such\ninformation, auditors brainstorm to identify fraud risk factors (e.g., incentives,\nopportunities, rationalizations), synthesize this information to develop a fraud risk\nassessment, and develop a response to the risk assessments such as altering the\nstaffing of the engagement, or modifying the nature, timing, and extent of audit\nprocedures. Brainstorming sessions are intended to aid auditors in linking fraud\nrisk factors to risk assessments and, in turn, foster the development of appropriate\naudit responses. As such, the approach depicted in Figure 4 indicates that\nbrainstorming should influence both phases of the fraud decision-making process\nsuch that the relations among fraud risk factors, risk assessments, and responses\nare positively moderated by the quality of the brainstorming session.\n\n\n\n\n                                                                                       DODIG-2014-094\xe2\x94\x82 11\n\x0cSuccessful Brainstorming for Auditors\n\n\n                 American Accounting Association Top Seven\n                 Brainstorming Practices\n                 Researchers identified seven brainstorming practices that significantly improve\n                 brainstorming quality.10 Most importantly, they are all controllable inputs that can\n                 be easily fostered by management. Figure 5 lists the top seven brainstorming\n                 practices for auditors.\n\n                 Figure 5. Top Seven Brainstorming Practices for Auditors\n\n\n                                               Seven Brainstorming Essentials for Auditors\n\n                         \xe2\x80\xa2\t Sessions are led by a partner or forensic specialist.\n\n                         \xe2\x80\xa2\t An information technology audit specialist attends the primary brain-\n                              storming session.\n\n                         \xe2\x80\xa2\t The engagement\xe2\x80\x99s primary session is held pre-planning or early in planning.\n\n                         \xe2\x80\xa2\t The discussion of how management might perpetrate fraud is robust.\n\n                         \xe2\x80\xa2\t The discussion about audit responses to fraud risk is detailed.\n\n                         \xe2\x80\xa2\t The level of manager contribution to the session is high.\n\n                         \xe2\x80\xa2\t The level of partner contribution to the session is significant.\n\n\n\n                 Grant Thornton, LLP, Fraud Brainstorming Approaches\n                 for Auditors\n                 The Importance of Ensuring Sufficient Rigor\n                 If conducted with sufficient rigor the fraud brainstorming session is central to\n                 identifying and responding to fraud risks. \xe2\x80\x85Ordinarily in the first year, the meeting\n                 has such rigor, but in subsequent periods, if sufficient rigor is not sustained, there is\n                 a risk that it could become a routine exercise and what the audit team learns over\n                 time is not brought to the discussion.\n\n\n\n\n                 \t10\t\n                        American Accounting Association, \xe2\x80\x9cAuditors\xe2\x80\x99 Use of Brainstorming in the Consideration of Fraud: Reports from the Field,\xe2\x80\x9d\n                        Joseph F. Brazel, North Carolina State University, Tina D. Carpenter, University of Georgia, J Gregory Jenkins,\n                        Virginia Polytechnic Institute and State University, 2010.\n\n\n\n\n12 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                             Successful Brainstorming for Auditors\n\n\n\n       The meeting facilitator should not arrive at the brainstorming session with a\n       preconceived notion of the final outcome and a mindset that was closed to new\n       ideas, and must give full consideration to the value of new ideas.\n                                                                                   Partner, Grant Thornton, LLP\n\n\n\nWhen conducting fraud brainstorming sessions, it is important that team members\nand session leaders remain focused on the attributes discussed in Figure 6.\n\nFigure 6. Attributes of Rigorous Brainstorming11\n\n\n                                         Attributes of Sufficient Rigor\n\n        \xe2\x80\xa2\t Devoting sufficient time to the fraud risk brainstorming meeting.\n\n        \xe2\x80\xa2\t Ensuring         active       participation        by      partner,       manager,            and   subject\n            matter experts.\n\n        \xe2\x80\xa2\t Focusing on risks of material misstatement of fraud, as opposed to all\n            fraud risks.\n\n        \xe2\x80\xa2\t Stressing the importance of professional skepticism and the specific areas\n            where it is needed.\n\n        \xe2\x80\xa2\t Holding robust discussions about how the team will respond to identified\n            fraud risks and tailoring the audit procedures to reflect those decisions.\n\n        \xe2\x80\xa2\t Reinforcing the concept that the risk assessment process does not end\n            with the meeting; and if during the course of the audit, additional fraud\n            risks are identified, they should be brought to the attention of the partner,\n            and the audit procedures adjusted, as necessary.\n\n\n\n\n\t11\t\n       Grant Thornton, \xe2\x80\x9cDoD Office of Inspector General, Conducting Fraud Risk Assessments Within DoD,\n       Project No. D2012-DIP0AI-00227.000,\xe2\x80\x9d Grant Thornton Survey Responses, April 2013.\n\n\n\n\n                                                                                                                         DODIG-2014-094\xe2\x94\x82 13\n\x0cSuccessful Brainstorming for Auditors\n\n\n                 Methods to Achieve Sufficient Rigor\n                 Preparing for the Session\n                 When preparing for a brainstorming session, the session facilitator should review the\n                 applicable auditing standards and be familiar and able to discuss various aspects of\n                 the consideration of fraud:\n\n                           \xe2\x80\xa2\t The three conditions that generally accompany fraud (that are, incentive/\n                                pressure, opportunity, and an attitude that permits rationalization),\n\n                           \xe2\x80\xa2\t management\xe2\x80\x99s unique ability to perpetrate fraud,\n\n                           \xe2\x80\xa2\t the possibility of concealed fraud, and\n\n                           \xe2\x80\xa2\t the potential existence of collusion.\n\n                 A brainstorming session leader who has prepared sample responses to these prompts\n                 or considered past examples of fraud is better equipped to jump-start a stalled\n                 brainstorming session or keep a fraud discussion on track. Brainstorming sessions\n                 conducted immediately after the engagement team kick-off meetings allow the\n                 participants to use information discussed during the kick-off meeting to form\n                 questions/comments regarding fraud while the understanding of the organization is\n                 still fresh.\n\n\n                 Devoting Sufficient Time to the Fraud Risk Brainstorming Meeting\n                 When conducting brainstorming sessions, it is important to allow ample time for\n                 the session. The free flow of ideas and connections among team members with\n                 different perspectives can often take circuitous routes that do not result in as\n                 much value-added to the process if time is too short or the process is rushed.\n                 The process is designed to promote free form thinking from an unbiased perspective,\n                 but the session can benefit from some level of advance preparation on the part of\n                 the meeting facilitator. This advance preparation can bring sufficient focus to the\n                 situation to increase the likelihood of considering the breadth of relevant factors.\n\n\n                 Ensuring Active Participation\n                 Active participation by audit managers, auditors, and specialists ensures that\n                 team members with the most experience provide guidance and input during the\n                 discussions. However, discussions are often more interactive when nonleadership\n\n\n\n\n14 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                    Successful Brainstorming for Auditors\n\n\n                 members of the team lead the discussions. Members of the leadership of the audit\n                 team should interject in the discussion when necessary. This approach allows for\n                 a free exchange of information rather than a lecture type discussion.\n\n\n                 Keeping the Discussion Fresh\n                 It is important to keep fraud discussions fresh from year to year or engagement\n                 to engagement to ensure that participants in the discussion continue to think\n                 \xe2\x80\x9cout of the box\xe2\x80\x9d and consider the possibility of fraud from diverse perspectives.\n                 An effective strategy for encouraging creativity and new perspectives is to rotate\n                 the staff both leading and participating in the discussion. By assigning different\n                 staff to lead the fraud discussion year after year, the fraud brainstorming session\n                 may assume a different direction or tone, as the new staff leading the discussion may\n                 have a fresh viewpoint on the auditee\xe2\x80\x99s susceptibility to fraud.\n\n\n                 Ranking Fraud Risks\n                 Developing a risk ranking during the session is essential. The ranking of risk\n                 areas requires a full understanding of how each business area functions. Based on\n                 that understanding, auditors must consider the likelihood of fraud based on the\n                 type of business function, the factors influencing the business environment, and\n                 the controls in place. Determining the relative risk of each area requires not only a\n                 thorough analysis of these factors but also professional judgment based on years\n                 of experience. Materiality is an important concept in auditing, when it comes to\n                 considering fraud, one must use caution as the occurrence of seemingly small fraud\n                 in terms of dollar amount can have much larger implications for the organization.\n                 These larger implications can include the assessment of management integrity and\n                 whether management representations can be accepted, as well as the potential legal\n                 and reputational implications of relatively small amounts of fraud.\n\n\n                 Balancing Costs and Benefits\n                 To balance the costs and benefits, the auditor must be able to estimate the level of\n                 effort required to analyze an area. The level of effort determines the expected\n                 cost. This expected cost must be compared to the combination of the potential\n                 cost of fraud in an area and the probability of fraud occurring, as was done when\n                 determining a risk ranking. This risk ranking is subjective and, again, based not only\n                 on a thorough analysis but also professional judgment based on years of experience.\n\n\n\n\n15 \xe2\x94\x82 DODIG-2014-094                                                                                      DODIG-2014-094\xe2\x94\x82 15\n\x0cSuccessful Brainstorming for Auditors\n\n\n                 Identifying High-Risk Areas\n                 Holding robust discussions on how the team will respond to identified fraud risks\n                 and tailoring the audit procedures to reflect the decisions is essential. Areas of\n                 heightened risks may be identified by the audit team, during the fraud risk\n                 assessment process and brainstorming sessions. It is an effective practice to have\n                 a team member document in writing those areas including reasons why the team\n                 determined the area to be of high risk. A subsequent meeting should be held with\n                 the engagement management team to decide the level of focus for each of those areas\n                 and the audit response/tests that should be included within the audit programs.\n\n\n                 Stressing the Importance of Professional Skepticism\n                 It is critical to reinforce that the fraud risk assessment process does not end\n                 with the meeting. If during the course of the audit, additional fraud risks are\n                 identified, they should be brought to the attention of the audit manager and the\n                 audit procedures adjusted, as necessary. During the brainstorming sessions the\n                 team is reminded to maintain professional skepticism\n                 during all phases of the audit. AICPA, Statement\n                                                                                                          Professional\n                 on Auditing              Standards         99,     \xe2\x80\x9cConsideration\n                                                                                                     skepticism does not\n                 of Fraud in a Financial Statement Audit,\xe2\x80\x9d                                         mean an auditor should\n                 and        GAGAS        explain       the     importance          of             view every transaction as\n                 exercising           professional         skepticism          while             though it is tainted by fraud\n                                                                                                 or to interact with the client\n                 conducting an audit. Professional skepticism                                      as though the client has\n                 is an attitude that includes a questioning mind                                 fraudulently and materially\n                 and a critical assessment of audit evidence.                                       misstated the financial\n                                                                                                          statements.\n                 Professional skepticism does not mean an auditor\n                 should view every transaction as though it is tainted\n                 by fraud or to interact with the client as though the client has fraudulently and\n                 materially misstated the financial statements.                             The auditor should conduct the\n                 engagement with a mindset that recognizes the possibility that fraud could be\n                 present, regardless of any past experience with the entity and regardless of\n                 the auditor\xe2\x80\x99s belief about management\xe2\x80\x99s honesty and integrity. Furthermore,\n                 professional           skepticism        requires        an     ongoing       questioning          of    whether        the\n                 information            and      evidence         obtained       suggests        that     fraud       has     occurred.12\n\n\n\n\n                 \t12\t\n                        Grant Thornton, \xe2\x80\x9cDoD Office of Inspector General, Conducting Fraud Risk Assessments Within DoD, Project No. D2012-\n                        DIP0AI-00227.000,\xe2\x80\x9d Grant Thornton Survey Responses, April 2013.\n\n\n\n\n16 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                       Successful Brainstorming for Auditors\n\n\nDoD Fraud Brainstorming Approaches\nInterviews with DoD subject matter experts disclosed that many organizations are\nusing brainstorming sessions when conducting fraud risk assessments and control\nself-assessments (CSAs).13 \xe2\x80\x85Personnel providing guidance on effective brainstorming\napproaches includes attorneys, auditors, investigators, and risk management\nexperts. Figure 7 summarizes DoD suggested fraud brainstorming approaches.\n\nFigure 7. DoD Organizations\xe2\x80\x99 Brainstorming Practices\n\n\n                              DoD Organizations\xe2\x80\x99 Fraud Brainstorming Tips\n\n       Participants are asked \xe2\x80\x9cWhat is the Air Force equity that is at risk?\xe2\x80\x9d to\n       help identify vulnerabilities. Criminal Investigator, United States Air Force,\n       Office of Special Investigations\n\n       No thought is considered bad; instead, all thoughts are considered good.\n       Any ideas put forward by participants are considered. At the end of the\n       sessions, all the walls in the meeting rooms are papered with ideas.\n       Director, Defense Contract Management Agency, Contract Integrity Center\n\n       The      setting        is     informal         and       the      environment             is     non-threatening.\n       These        strategies         encourage           participation           from       each       team    member.\n       Supervisory Auditor, Defense Commissary Agency, Office of Inspector General,\n       Audit Division\n\n       When identifying fraud risks, follow the money; where an organization\n       is spending money, you will find fraud. Criminal Investigator, Defense\n       Information Systems, Office of Inspector General, Investigations Division\n\n       Before holding the fraud brainstorming session, it is important that\n       people understand the session objective. Auditor, Defense Logistics Agency,\n       Office of Inspector General, Audit Division\n\n       Make sure attendees keep on time and keep on task. Deputy Director,\n       Department of the Navy, Risk Management and Compliance Branch\n\n       Have Fun! Chief Audit Executive, Navy Exchange Service Command\n\n\n\n\t13\t\n       CSAs help to identify fraud risks, vulnerabilities, and opportunities to improve existing controls.\n\n\n\n\n                                                                                                                            DODIG-2014-094\xe2\x94\x82 17\n\x0cDoD Audit Organizations\xe2\x80\x99 Approaches\nfor Performing Fraud Risk Assessments\n\n\n\n                 DoD Audit Organizations\xe2\x80\x99 Approaches for\n                 Performing Fraud Risk Assessments\n                 DoD audit organizations developed numerous approaches for performing fraud\n                 risk assessments. Auditors can modify any of the fraud risk assessments\n                 examples presented in this document to suit their organization\xe2\x80\x99s size, mission,\n                 and structure.      In addition to discussing fraud risk assessment approaches, other\n                 guidance discussed within this section includes:\n\n                            \xe2\x80\xa2\t fraud interviewing approaches,\n\n                            \xe2\x80\xa2\t general control environment questionnaires, and\n\n                            \xe2\x80\xa2\t testing for fraud.\n\n                 See Appendixes B and C for examples of fraud risk assessment policies and a fraud\n                 risk assessment work paper developed by the Naval Audit Service.\n\n\n                 Marine Corps Nonappropriated Funds Audit Service\n                 Fraud Risk Assessment Approach\n                 Key      steps   used     by    the   Marine     Corps       Nonappropriated   Funds    Audit\n                 Service (MCNAFAS) when performing fraud risk assessments are audit team\n                 brainstorming sessions to identify fraud risks and Internal Control Questionnaires.\n                 For brainstorming sessions, team members review prior year work papers,\n                 when available, to determine whether previously identified fraud risk factors are\n                 applicable to the current audit objectives. Through team discussion, team members\n                 also identify new fraud risks and vulnerabilities. The brainstorming sessions\n                 reinforce the importance of professional skepticism and set the tone for\n                 the engagement.\n\n\n                      Networking within your organization and with your audit peers is an effective way\n                      to stay current on fraud trends within your industry.\n                                                                                     Audit Director, MCNAFAS\n\n\n\n\n18 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                   DoD Audit Organizations\xe2\x80\x99 Approaches\n                                                                                                 for Performing Fraud Risk Assessments\n\n\nInternal Control Questionnaires\nMCNAFAS developed internal control questionnaires to gather information about\nthe auditee\xe2\x80\x99s general control environment. Sometimes, auditors modify the\nquestionnaires to include information about the process being reviewed to gain\nan understanding of the program or activity and assist in evaluating control\neffectiveness. If the questionnaires disclose areas where controls are weak,\nteam         members          consider         the     area      for     additional        testing       during       fieldwork\nFigure 8 provides an example of control environment questions. See Appendix D\nfor a DoD Office of Inspector General, (OIG),14 Office of the Deputy Inspector General\nfor Audit, example fraud interview questionnaire for a financial statement audit.\n\n\n\n\n\t14\t\n       In this document, the terms Inspector General (IG) or Office of Inspector General (OIG) refers to all Inspector General\n       Offices, to include statutory and nonstatutory entities.\n\n\n\n\n                                                                                                                                 DODIG-2014-094\xe2\x94\x82 19\n\x0cDoD Audit Organizations\xe2\x80\x99 Approaches\nfor Performing Fraud Risk Assessments\n\n\n                 Figure 8. Auditor Questionnaire\n\n\n                                        General Control Environment Questionnaire\n\n                      1.\t   Can management override a control? If yes, explain.\n\n                      2.\t   How does senior management communicate its commitment to sound\n                            internal control and their expectation regarding the employees\xe2\x80\x99 role?\n\n                      3.\t   Does management receive frequent and timely updates from the budget\n                            function, accounting function, internal and external audits, and compliance\n                            functions? If yes, explain.\n\n                      4.\t   Is the structure appropriate to manage activities and accomplish goals?\n                            If no, explain.\n\n                      5.\t   Are the reporting relationships appropriately organized and periodically\n                            reviewed? If no, explain.\n\n                      6.\t   Are the appropriate number of people and resources allocated to key\n                            functions/activities? If no, explain.\n\n                      7.\t   Are job descriptions current, accurate, and understood? If no, explain.\n\n                      8.\t   What mechanism exists to identify any new laws or regulations or changes\n                            to existing ones?\n\n                      9.\t   What has management done to effectively encourage employees to\n                            communicate control breakdowns, overrides, or potential regulation or\n                            policy violations?\n\n                      10.\t Has management established a code of conduct and other policies\n                            regarding acceptable business practices, conflicts of interest, and standards\n                            for ethical and moral behavior?\n\n\n\n                 Effective Fraud Interviews\n                 It is helpful for auditors to remember that effective communication requires active\n                 listening skills. Auditors at MCNAFAS and Grant Thornton, LLP (Grant Thornton)\n                 consistently integrate employee interviews within their fraud risk assessment\n                 approaches. Both organizations emphasize that interviewing techniques are\n                 essential for achieving high-quality fraud interviews. Figure 9 summarizes\n                 interview strategies recommended by both organizations.\n\n\n\n20 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                  DoD Audit Organizations\xe2\x80\x99 Approaches\n                                                                for Performing Fraud Risk Assessments\n\n\nFigure 9. Interviewing Techniques\n\n                     Strategies for Effective Fraud Interviews\n\n  Interviews with Management and Employees\n  Audit team members interview both managers and employees to gather\n  information about fraud risks, assist with evaluating controls, and obtain\n  information about potential fraudulent activities. This strategy provides\n  employees opportunities to raise any concerns they might have regarding\n  management fraud. When conducting employee and management interviews,\n  auditors should use care and good judgment in any discusssions about fraud\n  with all personnel and not insinuate that fraud is present or imply that an\n  employee or manager is under suspicion of fraud.\n\n  Setting the Tone for Discussion\n  An important consideration when preparing for a fraud interview session is to\n  set the proper tone for the discussion. Because of the sensitive nature of a\n  discussion of fraud and the potential for interview participants to become shy\n  or refrain from voicing their opinions, it is a good idea to indicate that the\n  interview session is required by AICPA, Statement on Auditing Standard 99,\n  \xe2\x80\x9cConsideration of Fraud in a Financial Statement Audit,\xe2\x80\x9d and that no one is\n  suspected of or being accused of fraud when conducting a financial statement audit.\n\n  Asking Follow-Up Questions\n  When conducting fraud interview sessions, it is critical to keep an open mind\n  and to ask follow-up questions. Many frauds have been allowed to continue too\n  long because of the failure to ask the next question. Responses to interview\n  questions may be less complete than expected. If so, requests for additional\n  clarification or amplification are often necessary. Other times, responses may\n  be different from what was expected or about areas other than what was asked.\n  In those situations, rather than continue to the next question from a\n  pre-determined list, it is important to probe further. The person being\n  interviewed may feel uncomfortable providing information directly that\n  could lead to uncovering a potential issue. But with sufficient diligence in\n  following up on responses, the auditor is more likely to fully identify suspect\n  situations or irregularities. This is not possible without listening fully to\n  responses and responding with relevant follow-up questions.\n\n\n\n\n                                                                                        DODIG-2014-094\xe2\x94\x82 21\n\x0cDoD Audit Organizations\xe2\x80\x99 Approaches\nfor Performing Fraud Risk Assessments\n\n\n                 Army and Air Force Exchange Service, Audit Division,\n                 Fraud Risk Assessment Approach\n                 The Army and Air Force Exchange Service (AAFES), Audit Division, fraud risk\n                 assessment approach provides an example of a straightforward and effective method\n                 for auditors to use when conducting their work. When conducting their analysis\n                 of internal controls over a process or program, team members consider \xe2\x80\x9cWhat Could\n                 Go Wrong?\xe2\x80\x9d to help identify fraud risks and assign risk rankings of high, moderate,\n                 or low. When fraud risks are identified, auditors evaluate their results to\n                 determine whether additional audit testing is needed for higher risk areas.\n\n\n                      When conducting fraud risk assessments, auditors need to think about internal controls\n                      and ask themselves:\n\n                      What do I need to measure? And, what is the potential for fraud?\n\n                                                                                         Audit Director, AAFES\n\n\n\n                 AAFES Fraud Risk Assessment Overview\n                 The AAFES fraud risk assessment approach is summarized in Figure 10. A key\n                 concept in the approach is the importance of critical thinking when evaluating\n                 controls and identifying control weaknesses. AAFES requires auditors to conduct\n                 a fraud risk assessment during audit planning to ensure that auditors remain alert\n                 to fraud risks throughout the audit process.\n\n\n\n\n22 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                     DoD Audit Organizations\xe2\x80\x99 Approaches\n                                                                   for Performing Fraud Risk Assessments\n\n\nFigure 10. AAFES Fraud Risk Assessment Approach\n\n\n                      AAFES Methods for Identifying Fraud Risks\n\n   \xe2\x80\xa2\t During      audit    planning,   team   members     review    relevant   policies\n       and procedures.\n\n   Auditors brainstorm and use the risk assessment template tool to:\n\n   \xe2\x80\xa2\t Identify relevant risk areas\n\n        \xe2\x80\xa2\t Examine the process or program flow. Team members stimulate discussion\n            by considering:\n\n        \xe2\x80\xa2\t Where along those processes can control breakdowns occur?\n\n   \xe2\x80\xa2\t Identify internal controls\n\n        \xe2\x80\xa2\t Auditors discuss \xe2\x80\x93 What may happen if there is a breakdown in\n            internal controls?\n\n   \xe2\x80\xa2\t Identify areas where fraud could occur that are significant to the\n       audit objective.\n\n   \xe2\x80\xa2\t Design audit procedures to address those risk areas.\n\n   \xe2\x80\xa2\t Document analysis and results in the fraud risk assessment template.\n\n\n\n\nAAFES Fraud Risk Assessment Example\nWhen completing the fraud risk assessment template, auditors are required to perform\na detailed analysis of the reviewed area. This example is presented for illustrative\npurposes only. Refer to Table 1 to view the assessment in its entirety.\n\n      1.\t    Document the fraud risk assessment objective. \xe2\x80\x85A clear and concise\n             objective statement should be developed to ensure all team members\n             understand the expected outcome of the analysis.\n\nObjective Statement. To ensure adequate reporting of sales and accurate billing.\n\n      2.\t    Document the process flow. \xe2\x80\x85During this step, auditors document the\n             process they are reviewing. \xe2\x80\x85Team members should consider conducting\n             employee and management interviews and/or reviewing the organization\xe2\x80\x99s\n             policies and procedures when performing this step.\n\n\n\n                                                                                          DODIG-2014-094\xe2\x94\x82 23\n\x0cDoD Audit Organizations\xe2\x80\x99 Approaches\nfor Performing Fraud Risk Assessments\n\n\n                 Process Flow. Student applies for free/reduced meals.\n\n                       3.\t    Analyze Process Control Points/Internal Control Over Process. For each\n                              step documented in the process flow, auditors analyze and document the\n                              related internal controls. \xe2\x80\x85If multiple controls are developed by an\n                              organization, this information should be documented on the fraud risk\n                              assessment template.\n\n                 Process Control Points/Internal Controls Over Process. Local installation or\n                 community commander approves/denies application based on income guidelines set\n                 by the Secretary of Agriculture.\n\n                       4.\t    Risk Details/What Could Go Wrong? During this step, team members\n                              review each control and brainstorm to identify potential control\n                              weaknesses by asking themselves; \xe2\x80\x9cWhat could go wrong?\xe2\x80\x9d \xe2\x80\x85It is\n                              important for the team to consider previous audit results, prior frauds,\n                              and apply their education, training, and experience when performing\n                              this analysis.\n\n                 What Could Go Wrong? Student approved for incorrect meal plan and/or student\n                 approved even though they were not eligible.\n\n                       5.\t    Risk Level. Auditors assign risk rankings based upon the information\n                              documented in the risk details section of the template. \xe2\x80\x85The AAFES\n                              approach uses risk rankings of high, moderate, or low.\n\n                 Risk Level. Low. The Exchange would still be reimbursed for meals sold regardless\n                 of student eligibility.\n\n                       6.\t    Audit Procedure. The team members develop audit procedures to\n                              address identified risks. \xe2\x80\x85When completing this step, auditors remember\n                              that additional procedures may not be necessary for lower risk areas.\n                              It is important that auditors should rely on their professional judgment\n                              and experience when making this determination.\n\n\n\n\n24 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                              DoD Audit Organizations\xe2\x80\x99 Approaches\n                                                            for Performing Fraud Risk Assessments\n\n\nAudit Procedure. None required.     Risk is low.   The Exchange is not involved in\nthe approval process for free/reduced meals and reimbursement is not affected.\n\n      7.\t    Fraud Test. The audit team develops fraud tests for moderate or\n             high-risk areas. For the AAFES fraud risk assessment approach, audit\n             procedures documented in the fraud risk template are used to test\n             for fraud.\n\nFraud Test. Review facility personnel costs and personnel cost transfers to ensure\nthat the desired goal for personnel costs is 50 percent below sales and that school\nmeal associates are being effectively used in the summer months when school\nis closed.\n\n\n\n\n                                                                                  DODIG-2014-094\xe2\x94\x82 25\n\x0c  DoD Audit Organizations\xe2\x80\x99 Approaches\n  for Performing Fraud Risk Assessments\n\n\n  Table 1. AAFES Fraud Risk Assessment Example\n  SUBJECT AREA: School Meal Program\n  OBJECTIVE: To ensure adequate reporting of sales and accurate billing.\n\n                                   Process Control Points              Risk Details                   Risk Level\n           Process Flow              (Internal Controls                                                                             Audit Procedure            Fraud Test\n                                                                 (What Could Go Wrong?)       (High, Moderate, or Low)\n                                       Over Process)\n   Student applies for free/    Local installation or           Student approved for         Low \xe2\x80\x93 The Exchange would         None required. Risk is low.    None required.\n   reduced meals.               community commander             incorrect meal plan          still be reimbursed for meals    The Exchange is not involved\n                                approves/denies                 and/or student approved      sold regardless of student       in the approval process for\n                                application based on            even though they were        eligibility.                     free/reduced meals and\n                                income guidelines set by the    not eligible.                                                 reimbursement would not\n                                Secretary of Agriculture.                                                                     be affected.\n\n   Student purchases meal       Coupons issued in sets of       Students receive more than   Low \xe2\x80\x93 All schools are            None required. Risk is low.    None required.\n   using cash, coupons, or      ten to a book. Books are        the monthly alloted number   currently using the Horizon\n   Horizon FastLane Point       serial numbered and number      of coupons and hands them    System. On the occassion,\n   of Sales School              controlled by each type of      out to friends.              coupons are necessary, the\n   prepayment system (Horizon   coupon. Coupons are only                                     students can only be issued\n   System).                     issued at one retail location                                one month of coupons\n                                which is designated by the                                   at a time (2 Books). Each\n                                Exchange General Manager.                                    book has a serial number\n                                This is usually the Cashier\'s                                (and the coupons have the\n                                Cage at the main store.                                      same serial number) and is\n                                                                                             number controlled. Coupons\n                                                                                             are only sold at one location.\n                                Account in the Horizon          Student allows others to     Low \xe2\x80\x93 Accounts are set up        None required. Risk is low.    None required.\n                                System is established           use their Horizon FastLane   by the parents. A user name      Reimbursement for meals\n                                annually by the parent at the   account to charge meals.     and password are created         served would not\n                                Cashier\'s Cage in the main                                   for logging into the system.     be affected.\n                                store. Where applicable, the                                 Each students is given a PIN\n                                account is set up to reflect                                 that is used when purchasing\n                                free or reduced meals and                                    meals. The US Department\n                                is charged accordingly in the                                of Agriculture (USDA) allows\n                                Horizon System.                                              three charges to a student\'s\n                                                                                             account. To limit excessive\n                                                                                             charging, a "reminder note"\n                                                                                             will be sent home when\n                                                                                             the students account drops\n                                                                                             below the equivalent of\n                                                                                             three meals.\n\n\n\n\n26 \xe2\x94\x82DODIG-2014-094\n\x0c                                                                                                                                   DoD Audit Organizations\xe2\x80\x99 Approaches\n                                                                                                                                 for Performing Fraud Risk Assessments\n\n\n                                Process Control Points               Risk Details                       Risk Level\n        Process Flow              (Internal Controls                                                                                Audit Procedure             Fraud Test\n                                                               (What Could Go Wrong?)           (High, Moderate, or Low)\n                                    Over Process)\n                             Local installation or            Account set up in Horizon        Low \xe2\x80\x93 The Exchange             None required. Risk is low.     None required.\n                             community commander              System is for the incorrect      would still be reimbursed      The Exchange is not involved\n                             approves/denies                  meal plan.                       for meals sold regardless of   in the approval process for\n                             application based on                                              the meal category.             free/reduced meals and\n                             income guidelines set by the                                                                     reimbursement would not\n                             Secretary of Agriculture.                                                                        be affected.\n\nDaily/Monthly sales data     Daily/Monthly sales              Data entry errors. Meals         Moderate to High \xe2\x80\x93             Determine the process for       Same as Audit\nsent to Self Defense Force   (breakfast, lunch, and a\xe2\x80\x99        misclassified resulting in the   Misclassification of           capturing and reporting sales   Procedure.\nfor consolidation and        la carte) are recorded in        incorrect reimbursement          meals could result in the      to Exchange Headquarters.\ncompletion of Office of      a spreadsheet by each            rate being used.                 Exchange being over/under\nManagement and Budget        cafeteria. The information                                        compensated for actual\nForm Number 0564-0284        from each cafeteria is sent to                                    meals served.\n(USDA Food and Nutrition     the Staff Dietician at the end\nService, School Lunch/       of the month.\nBreakfast/Snack Claim for\nReimbursement).\n                             Staff Dietician then             Data entry errors.               Moderate to High \xe2\x80\x93             Determine the process           Same as Audit\n                             consolidates the information     Incorrect formulas. Meals        Misclassification of           for consolidating and           Procedure.\n                             from each cafeteria into         misclassified resulting in the   meals could result in the      reporting the number\n                             two spreadsheets (one for        incorrect reimbursement          Exchange being over/under      of meals served to FA.\n                             Europe and one for Pacific)      rate being used.                 compensated for actual         Review sales data submitted\n                             showing totals by exchange                                        meals served.                  to the consolidated\n                             and for the Region.                                                                              spreadsheet created by\n                                                                                                                              the Staff Dietician.\n                             Staff Dietician then             Data entry errors.               Moderate to High \xe2\x80\x93 Entry       Compare data on                 Same as Audit\n                             completes the USDA form          Incorrect formulas. Meals        errors, incorrect formulas,    consolidated spreadsheet        Procedure.\n                             and sends the information to     misclassified resulting in the   and meal misclassification     to information included on\n                             Family Assistance (FA).          incorrect reimbursement          could result in the            USDA form.\n                                                              rate being used.                 Exchange being over/under\n                                                                                               compensated for actual\n                                                                                               meals served. Incorrect\n                                                                                               billing could result in\n                                                                                               decreased reimbursements\n                                                                                               from USDA in the future.\n\n\n\n\n                                                                                                                                                              DODIG-2014-094 \xe2\x94\x82 27\n\x0c  DoD Audit Organizations\xe2\x80\x99 Approaches\n  for Performing Fraud Risk Assessments\n\n\n                                     Process Control Points            Risk Details                     Risk Level\n           Process Flow                (Internal Controls                                                                            Audit Procedure             Fraud Test\n                                                                 (What Could Go Wrong?)         (High, Moderate, or Low)\n                                         Over Process)\n   USDA billed for pattern        FA completes USDA invoice     Incorrect billing amount.      Low \xe2\x80\x93 FA creates a monthly      Compare data sent to FA         Same as Audit\n   meals served during a          based on information                                         invoice and bills USDA based    to USDA invoice completed       Procedure.\n   given month.                   received from the                                            on the totals calculated by     by FA and submitted to the\n                                  Staff Dietician.                                             the Staff Dietician.            USDA for reimbursement.\n                                  USDA reimbursements,          Date entry errors.             Low to Moderate \xe2\x80\x93               Compare USDA monthly            Same as Audit\n                                  both cash and commodity,      Incorrect formulas.            USDA reimbursements             invoices to amounts included    Procedure.\n                                  are entered into the                                         are calculated by the           in FA quarterly spreadsheet.\n                                  FA quarterly spreadsheet.                                    Staff Dietician; however,\n                                                                                               if FA enters the wrong\n                                                                                               reimbursement amount into\n                                                                                               their quarterly spreadsheet,\n                                                                                               this will have an affect on\n                                                                                               the billing to DoDEA.\n\n   FA completes quarterly         Program sales and expenses    Date entry errors.             Low to Moderate \xe2\x80\x93               Compare information             Same as Audit\n   spreadsheet using              are taken from various        Incorrect formulas.            One data entry error/           obtained from various           Procedure.\n   Report Management              sources and included on                                      incorrect formula could have    sources to the data\n   and Distribution System,       quarterly spreadsheet.                                       a snowball effect impacting     entered into the\n   Hyperion, Strawman Report,     Reimbursements from USDA                                     the total reimbursement of      quarterly spreadsheet.\n   and Integrated Ledger          (both cash and commodity)                                    program operations.\n   Accounting System.             are also included. The\n                                  remaining balance is the\n                                  program gain/shortfall.\n                                                                Personnel costs inflated       High \xe2\x80\x93 School Meal              Review facility personnel       Same as Audit\n                                                                and/or personnel costs not     Associates and the related      costs and personnel cost        Procedure.\n                                                                transferred to other food      personnel costs are not         transfers to ensure the\n                                                                facilities during the summer   tracked during the summer       desired goal for personnel\n                                                                months.                        months to ensure these          costs is 50% below sales and\n                                                                                               associates are being utilized   school meal associates are\n                                                                                               when schools are closed.        being effectively utilized in\n                                                                                                                               the summer months when\n                                                                                                                               school is closed.\n\n   DoD Education Activity         FA completes quarterly        Incorrect billing amount.      Low \xe2\x80\x93 DoDEA invoice is          Compare quarterly results       Same as Audit\n   (DoDEA) billed quarterly for   invoice to DoDEA based                                       created directly from FA\'s      to invoices submitted to        Procedure.\n   program shortfalls.            on program shortfalls after                                  quarterly spreadsheet. The      DoDEA.\n                                  USDA reimbursement.                                          risk is in the completion of\n                                                                                               the spreadsheet and not in\n                                                                                               the creation of the invoice.\n\n\n\n\n28 \xe2\x94\x82DODIG-2014-094\n\x0c                                                                     DoD Audit Organizations\xe2\x80\x99 Approaches\n                                                                   for Performing Fraud Risk Assessments\n\n\nArmy Audit Agency Fraud Risk Assessment Approach\nThe Army Audit Agency\xe2\x80\x99s (AAA) fraud risk assessment methodology emphasizes\nthe auditor\xe2\x80\x99s assessment of the fraud risk environment and the importance of\nauditor brainstorming in developing audit steps to identify fraud indicators and\nschemes. \xe2\x80\x85Figure 11 outlines AAA\xe2\x80\x99s fraud risk assessment methodology.\n\nFigure 11. Key Steps for the AAA Fraud Risk Assessment Approach\n\n\n                      AAA Key Steps of Fraud Risk Assessments\n\n   1.\t   Determining Relevant Fraud Risks within the Context of Audit Objectives\n\n   2.\t   Assessing the Fraud Risk Environment\n\n   3.\t   Identifying Potential Fraud Schemes and Prioritize Them Based on Risk\n\n   4.\t   Mapping Existing Controls to Potential Fraud Schemes and Test Controls\n\n   5.\t   Testing for Fraud\n\n\n\n\nDetermining the Relevant Fraud Risks Within the Context of\nAudit Objectives\nTo identify relevant fraud risks within the context of the audit objectives, the audit\nteam starts the fraud risk assessment process by asking themselves whether fraud is\nlikely to occur within the operation or program being audited. Examples of topics\nconsidered during the team brainstorming meeting include the potential for the\ntheft of cash or other assets, bribery and kickbacks, and personal financial gain.\nAuditors also apply their overall knowledge of a program or operation, previous\naudit results, and knowledge of current fraud trends to help identify fraud risks.\n\nThe AAA method emphasizes that not all DoD programs or operations are high-risk\nareas for fraud. For example, the potential for auditors to encounter fraud when\nconducting a property accountability audit is generally much higher compared to\nan audit of unit training. However, auditing standards and AAA procedures require\nwritten documentation of the auditors\xe2\x80\x99 fraud risk assessment analysis in the work\npaper files for both high-and low-risk areas.\n\n\n\n\n                                                                                         DODIG-2014-094\xe2\x94\x82 29\n\x0cDoD Audit Organizations\xe2\x80\x99 Approaches\nfor Performing Fraud Risk Assessments\n\n\n                 Assessing the Fraud Risk Environment\n                 When assessing the fraud risk environment, it is important for auditors to consider\n                 fraud risk indicators. The AAA approach assigns qualitative scores ranging from\n                 high, medium, or low and requires auditors to consider the likelihood and impact of\n                 each risk indicator. Figure 12 outlines heightened fraud risk factors presented in the\n                 2011 Revision of GAGAS. AAA uses the Government Accountability Office examples\n                 in its fraud risk analysis.\n\n                 Figure 12. Example Fraud Risk Factors\n\n\n                                        GAGAS Indicators of Heightened Fraud Risk\n                      1.\t   The audited entity\xe2\x80\x99s operations provide opportunities to engage in fraud.\n\n                      2.\t   The entity\xe2\x80\x99s financial stability, viability, or budget is threatened by\n                            economic, programmatic, or entity operating conditions.\n\n                      3.\t   Management\xe2\x80\x99s monitoring of compliance with policies, laws, and regulations\n                            is inadequate.\n\n                      4.\t   The organizational structure is unstable or unnecessarily complex.\n\n                      5.\t   Management\xe2\x80\x99s communication and/or support for ethical standards are lacking.\n\n                      6.\t   Management is willing to accept unusually high levels of risk in making\n                            significant decisions.\n\n                      7.\t   The entity has a history of impropriety; such as previous issues with fraud,\n                            waste, abuse, or questionable practices; or past audits or investigations with\n                            findings of questionable criminal activity.\n\n                      8.\t   Operating policies and procedures are not developed or are outdated.\n\n                      9.\t   Key documentation cannot be provided or does not exist.\n\n                      10.\t The entity\xe2\x80\x99s asset accountability or safeguarding procedures are inadequate.\n\n                      11.\t The entity has a history of improper payments.\n\n                      12.\t Management provides false or misleading information.\n\n                      13.\t There is a pattern of large procurements in a budget line with remaining funds\n                            at year end, in order to \xe2\x80\x9cuse up all of the funds available.\xe2\x80\x9d\n\n                      14.\t There are unusual patterns or trends in contracting, procurement, acquisition,\n                            and other activities of the entity or program under audit.\n\n\n\n\n30 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                           DoD Audit Organizations\xe2\x80\x99 Approaches\n                                                                         for Performing Fraud Risk Assessments\n\n\nIdentifying Potential Fraud Schemes and Prioritizing Based\non Risk\nIf an auditor concludes that there is a high fraud risk environment, they are required to:\n\n               \xe2\x80\xa2\t Identify potential fraud schemes. When identifying fraud schemes,\n                   it is important that auditors brainstorm and remain open to all team\n                   member suggestions. Researching current and past fraud trends specific\n                   to a program or activity is also encouraged.\n\n               \xe2\x80\xa2\t Prioritize fraud risk based on likelihood and impact. Likelihood refers\n                   to the possibility of the event occurring, while impact pertains to the effect\n                   on the organization. When determining impact, it is important to\n                   consider both the potential for monetary losses and impact on the\n                   organization\xe2\x80\x99s reputation if the event occurred.\n\nMapping Existing Controls to Potential Fraud Schemes\nAuditors identify controls to prevent fraud for each likely fraud scheme and then\nperform tests of controls. When performing this step it is important to:\n\n               \xe2\x80\xa2\t Apply auditor training and skills.\n\n               \xe2\x80\xa2\t Review key controls in the organization\xe2\x80\x99s internal control checklists.\n\n               \xe2\x80\xa2\t Review applicable regulations, standard operating procedures, and system\n                   user manuals to understand business operations and control processes.\n\n               \xe2\x80\xa2\t If the tests of controls disclose weaknesses, the auditor expands audit\n                   testing to determine impact or effect on the audit objective.\n\nAdditionally, other fraud risk assessment approaches recommend interviewing\nemployees and managers responsible for the program or activity.\n\nAn illustrative example of AAA\xe2\x80\x99s identification of fraud schemes, fraud indicators,\nand mapping of internal controls to fraud schemes is provided in Figure 13.\nThis example pertains to a review of the Defense Travel System (DTS) and is presented\nfor illustrative purposes only.15\n\n\n\n\n\t15\t\n       Army Audit Agency, \xe2\x80\x9cFraud Risk Training,\xe2\x80\x9d not dated.\n\n\n\n\n                                                                                                DODIG-2014-094\xe2\x94\x82 31\n\x0cDoD Audit Organizations\xe2\x80\x99 Approaches\nfor Performing Fraud Risk Assessments\n\n\n                 Figure 13. AAA Fraud Risk Assessment Matrix\n                                                                               Monetary\n                                                                 Probability     Loss\n                                                                                                Internal Controls\n                                                                 H   M    L    H   M   L\n                      Fraud Schemes\n                                                                                           Separation of Duties,\n                      Altering bank account to divert travel         X         X           Limit Permission Level 5\n                      payments to specific bank accounts.                                  administrative power.\n                      Altering routing lists to reroute travel                             Limit Permission Level 5\n                                                                 X                 X\n                      vouchers to inappropriate approvers.                                 administrative power.\n                      Altering e-mail information to\n                      screen personnel from DTS                                            Limit Permission Level 5\n                                                                 X                 X\n                      communications with DTS profile                                      administrative power.\n                      owner and management.\n                      Amending previously settled vouchers                                 Limit Permission Level\n                      to increase authorized lodging                                       5 administrative power.\n                                                                     X         X\n                      per diem rates, in addition to adding                                Alter guidance to require\n                      bogus expenses with no documentation.                                supporting documentation.\n                      Creating and approving authorizations                                Limit Permission Level\n                      and vouchers for temporary duty                                      5 administrative power.\n                                                                     X             X\n                      travel after the temporary duty travel                               Alter guidance to require\n                      is complete.                                                         supporting documentation.\n                      Fraud Indicators\n                      Multiple stamps by the same individual\n                      on a single voucher.\n                      Multiple DTS users with the same bank\n                      account government credit\n                      card information.\n                      High-dollar value travel vouchers with\n                      no documentation.\n                      Amendments to travel vouchers that\n                      are increased by more than 25% of the\n                      original cost of the voucher.\n                      Amendments to travel vouchers that\n                      are made more than 60 days after\n                      original approval.\n                      Amendments made to prior year\n                      travel documents.\n                      Multiple amendments to travel\n                      vouchers that contain the same\n                      traveler or approver.\n                      Vouchers filed more than 15 days after\n                      the end of the trip.\n                      Manual per diem rate changes in DTS.\n                      H - Indicates High\n                      M - Indicates Medium\n                      L - Indicates Low\n\n\n\n\n32 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                      DoD Audit Organizations\xe2\x80\x99 Approaches\n                                                                    for Performing Fraud Risk Assessments\n\n\nTesting for Fraud\nProcedures to test for fraud will vary for each engagement. When developing tests\nfor fraud, it is important that auditors keep an open mind and think like a fraudster\nwhen performing their work. With fraud, it is important to remember that anything\nis possible. It is also an effective strategy to consult with forensic auditors and\nsubject matter experts to assist with designing and executing fraud testing\nprocedures. Figure 14 presents examples of audit tests to detect fraud.\n\nFigure 14. Fraud Tests\n\n\n                         Example Audit Tests to Detect Fraud\n\n   \xe2\x80\xa2\t Talk to lower level operating personnel about observing any unethical or suspect\n       activities occurring within the past 12-18 months\n\n   \xe2\x80\xa2\t Observe operations and visit contractors\xe2\x80\x99 place of business\n\n   \xe2\x80\xa2\t Perform trend analysis\n\n   \xe2\x80\xa2\t Identify unusual data patterns\n\n   \xe2\x80\xa2\t Conduct ratio analysis\n\n   \xe2\x80\xa2\t Compare prices\n\n   \xe2\x80\xa2\t Evaluate justifications and approvals for sole-source acquisitions\n\n   \xe2\x80\xa2\t Evaluate compliance with sole-source selection criteria\n\n   \xe2\x80\xa2\t Check for document tampering or errors\n\n   \xe2\x80\xa2\t Identify and analyze duplicate transactions\n\n   \xe2\x80\xa2\t Compare invoiced quantities to purchased quantities\n\n   \xe2\x80\xa2\t Identify transactions occurring out of logical sequence\n\n   \xe2\x80\xa2\t Identify transactions furthest from the mean\n\n   \xe2\x80\xa2\t Analyze e-mails\n\n\n\n\n                                                                                          DODIG-2014-094\xe2\x94\x82 33\n\x0c  DoD Audit Organizations\xe2\x80\x99 Approaches\n  for Performing Fraud Risk Assessments\n\n\n  Summary of DoD Audit Organizations\xe2\x80\x99 Approaches for Conducting Fraud Risk Assessments\n  Table 2 summarizes fraud risk assessment approaches developed by MCNAFAS, AAFES, and AAA. The table is intended to illustrate the similarities\n  and differences between the various approaches for assessing fraud risk. DoD audit organizations should consider implementing one or more of\n  these methods when performing their work. Each of the suggested procedures can be modified to suit an organization\xe2\x80\x99s mission, size, or audit\n  specific objectives. Similarly, audit organizations are encouraged to develop other approaches for performing fraud risk assessments using\n  information presented within this document as a resource.\n\n  Table 2. Summary of DoD Audit Organizations\xe2\x80\x99 Approaches for Conducting Fraud Risk Assessments\n\n                           Team\n                      Brainstorming      Standardized     Fraud Risk\n        Audit                                                            Assign Risk      Assess Impact    Analyze Controls    Develop      Document\n                     to Identify Fraud     Interview     Assessment\n     Organization                                                         Rankings       and Probability   for Weaknesses     Fraud Tests    Results\n                      Indicators and     Questionnaire    Template\n                         Schemes\n                                                                       Strong, Medium,\n      MCNAFAS               X                 X                                                                   X               X            X\n                                                                            Weak\n                                                                       High, Moderate,\n        AFFES               X                                 X                                                   X               X            X\n                                                                             Low\n                                                                       High, Medium,     High, Medium,\n         AAA                X                                 X                                                   X               X            X\n                                                                            Low               Low\n\n\n\n\n34 \xe2\x94\x82DODIG-2014-094\n\x0c                                                                                                         Auditor Fraud Risk Assessment\n                                                                                                                 Special Considerations\n\n\nAuditor Fraud Risk Assessment\nSpecial Considerations\nSpecial Fraud Risk Considerations When Auditing\nHealth Care Organizations\nHealthcare Providers\nFinancial audit risks relating to healthcare provider organizations16 typically revolve\naround recognition of accounts receivables and revenue. In relation to accounts\nreceivable, audit risks include overstatement of receivables due to inadequate\nassessment/reassessment of the methodology for establishing allowance for\nuncollectable accounts. In addition to an overall financial statement audit risk,\nrevenue recognition may also be considered as an area for potential fraud as pressure\nto meet established revenue goals may lead to fraudulent reporting and recording\nof claims to healthcare payers. Typical schemes of provider revenue fraud include\nbilling for services not provided to patients, falsification of claims (billing codes,\ndates, patient), incorrect collection of co-pays or deductibles, and improper use\nof prescription drugs. The magnitude of these risks (both overall audit risks and\nfraud risks) is assessed during the financial statement risk assessment process,\nincluding the brainstorming session during the planning phase of the audit.\n\n\nHealthcare Payer\nFinancial statement audit risks related to healthcare payer organizations are\noften focused on estimates related to benefits due and payable. This included risks\nsurrounding the methodology used to develop the estimates such as significant\njudgments and assumptions. In relation to fraud for healthcare payer organizations,\nthe majority of the risks involve fraud committed against the company/agency\nfrom third parties (that is, applicants, beneficiaries, and healthcare providers) for\nfraudulent claims or abuse. Healthcare payer organizations must have robust quality\nassurance mechanisms to guard against fraudulent claims that may involve not\nonly the claimant or healthcare provider, but also collusion between the claimant and\nthe healthcare provider. The auditor should be sure to assess the impact during\nthe overall risk assessment and fraud brainstorming sessions.\n\n\n\n\n\t16\t\n       Grant Thornton, \xe2\x80\x9cDoD Office of Inspector General, Conducting Fraud Risk Assessments Within DoD,\n       Project No. D2012-DIP0AI-00227.000, Grant Thornton Survey Responses,\xe2\x80\x9d April 2013.\n\n\n\n\n                                                                                                                       DODIG-2014-094\xe2\x94\x82 35\n\x0cAuditor Fraud Risk Assessment\nSpecial Considerations\n\n\n                 Special Fraud Risk Considerations When Auditing\n                 Government Contracts\n                 Inadequate Government contract monitoring may lead to the misuse, abuse, and\n                 waste of Federal funds. During a performance audit, the auditor should determine\n                 the adequacy of the organizations\xe2\x80\x99 procedures to perform effective oversight,\n                 evaluate internal control effectiveness, and training in contract administration because\n                 these controls are fundamental in ensuring the proper and effective use of Federal\n                 funds to achieve program goals. Auditors should be attuned to the different types\n                 of fraud schemes that can occur during each stage of the procurement process.\n\n\n\n\n36 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                             Approaches for Conducting\n                                                                    Entity-Wide Fraud Risk Assessments\n\n\nApproaches for Conducting Entity-Wide\nFraud Risk Assessments\nThere are numerous methods for conducting entity-wide fraud risk assessments.\nApproaches developed by DoD organizations and standard-setting bodies such\nas the AICPA, Association of Certified Fraud Examiners (ACFE), IIA, Australian\nNational Audit Office, and public and private sector entities are presented in this\nsection. While we are not recommending one specific approach, we are providing\na range of options for DoD entities to consider when assessing fraud risk. Report\nusers are also encouraged to review Appendix K, Suggested Resources, for\nadditional information about these methods and related resources.\n\n\nFraud Risk Assessment Benefits for DoD Organizations\nTable 3 provides information about the principles, benefits, and opportunities of\nconducting entity-wide fraud risk assessments. DoD organizations are encouraged to\nuse the information as a tool to educate employees and agency managers regarding\nthe benefits and opportunities of establishing fraud risk assessment programs.\nMost importantly, entity-wide fraud risk assessments provide a cost-effective way\nfor organizations to mitigate fraud risks, identify control weaknesses, and educate\nemployees about fraud.\n\n\n  For maximum benefit, entity-wide fraud risk assessments should not be considered\n  as a check the box exercise.\n                                                    Director, KPMG Forensic Practice\n\n\n\n\n                                                                                       DODIG-2014-094\xe2\x94\x82 37\n\x0cApproaches for Conducting\nEntity-Wide Fraud Risk Assessments\n\n\n                 Table 3. Entity-Wide Fraud Risk Assessment Principles, Benefits, and Opportunities\n                                 Principles                              Benefits                         Opportunities\n                      Responsibility for the fraud risk   \xe2\x80\xa2\t Organizational commitment              \xe2\x80\xa2\t Collaborate on key\n                      assessment process must be             and cooperation                           risk decisions\n                      clearly established                 \xe2\x80\xa2\t Ownership of the process and           \xe2\x80\xa2\t Drive consistency\n                                                             output, resulting in greater              in approaches to\n                                                             quality of data                           assessing fraud risks\n                                                          \xe2\x80\xa2\t Accountability for taking risks\n\n                      Fraud risk assessments              \xe2\x80\xa2\t Defined scope for fraud                \xe2\x80\xa2\t Identification and\n                      begin and end with clearly             risk assessment                           evaluation of fraud\n                      defined objectives                  \xe2\x80\xa2\t Accountability for the                    risks is available for\n                                                             achievement of objectives                 the organization\n                                                          \xe2\x80\xa2\t Fraud risk discussion targeted in\n                                                             the context of specific objectives,\n                                                             risk appetite, and tolerance\n\n                      Fraud risk rating scales are        \xe2\x80\xa2\t Common basis for assessment            \xe2\x80\xa2\t Measure and\n                      defined in relation to the             of fraud risks                            monitor the\n                      organization\xe2\x80\x99s risk tolerance       \xe2\x80\xa2\t Assessment of the impact and              organization\xe2\x80\x99s ability\n                                                             probability of fraud risks in             to achieve objectives\n                                                             relation to stated objectives\n\n                      The organization forms a            \xe2\x80\xa2\t Prioritization of the organization\xe2\x80\x99s   \xe2\x80\xa2\t Deliver integrated\n                      portfolio view of fraud risks to       most significant fraud risks              responses to multiple\n                      support decision making             \xe2\x80\xa2\t Ability to view and manage                fraud risks\n                                                             fraud risks that span multiple         \xe2\x80\xa2\t Identify immediate\n                                                             functional areas                          and longer term\n                                                          \xe2\x80\xa2\t Clarity on the interrelationships         improvement\n                                                             between fraud risks and risk              opportunities\n                                                             responses that may be required         \xe2\x80\xa2\t Prioritize deployment\n                                                          \xe2\x80\xa2\t Fraud risks are not merely                of capital and\n                                                             avoided but understood, and risk          measurement of\n                                                             informed decisions are made to            relative performance\n                                                             seize opportunities                       across various\n                                                                                                       objectives or entities\n\n                      Leading indicators are used         \xe2\x80\xa2\t Forward-looking analysis in            \xe2\x80\xa2\t Reduce instances of\n                      to provide insight into                relation to the overall portfolio         fraud and associated\n                      potential risks                        of fraud risks                            losses\n                                                          \xe2\x80\xa2\t Analysis enables the detection         \xe2\x80\xa2\t Use relevant fraud risk\n                                                             of relevant changes in the                information to guide\n                                                             environment that could impact             decision making\n                                                             the achievement of objectives and\n                                                             prompt action as necessary\n\n                 Adapted from Pricewaterhouse Coopers, \xe2\x80\x9cHow principles-based risk assessment enables\n                 organizations to take the right risks,\xe2\x80\x9d 2008.\n\n\n\n\n38 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                   Approaches for Conducting\n                                                                          Entity-Wide Fraud Risk Assessments\n\n\nDoD Investigative Organizations\xe2\x80\x99 Fraud Risk\nAssessment Approaches\nDoD    investigative   organizations    initiate    entity-wide   fraud    risk   assessments.\nOther stakeholders participating in the assessments include auditors and security\npersonnel. DoD investigative organizations\xe2\x80\x99 approaches to identify and evaluate\nfraud risks include:\n\n         \xe2\x80\xa2\t Brainstorming      sessions    to      identify   fraud   schemes     that   could\n           potentially threaten DoD programs. Risk rankings are assigned by\n           some organizations. Example rankings range from weighted risk\n           scores based upon specific criteria to rankings of high, medium, or low.\n\n         \xe2\x80\xa2\t Analysis of internal and external fraud trends.\n\n         \xe2\x80\xa2\t Reviews of ongoing and prior fraud cases.\n\n         \xe2\x80\xa2\t Input from field office locations.\n\n         \xe2\x80\xa2\t Study of reports prepared by the ACFE to pinpoint emerging fraud trends.\n\n         \xe2\x80\xa2\t Installation-level fraud risk reviews designed to target risks within\n           specific geographic areas.\n\n         \xe2\x80\xa2\t Evaluation of expenditures to identify higher risk programs.\n\n         \xe2\x80\xa2\t Analysis of programs with increased levels of congressional interest.\n\nOnce the assessments are complete, some organizations report their results to\ninternal stakeholders and senior managers. This approach ensures communication\nof fraud trends and mission priorities throughout the organization. Additionally,\nDoD Investigative organizations are proactive with increasing employee\xe2\x80\x99s fraud\nawareness through fraud briefings and on-line training classes.\n\nFigure 15 summarizes benefits of DoD investigative agencies\xe2\x80\x99 approaches for\nconducting fraud risk assessments. DoD entities should consider using these\nmethods when assessing fraud risk within programs or operations. The suggested\napproaches can also be modified to align with an organization\xe2\x80\x99s mission, size, or\nknown fraud vulnerabilities.\n\n\n\n\n                                                                                             DODIG-2014-094\xe2\x94\x82 39\n\x0cApproaches for Conducting\nEntity-Wide Fraud Risk Assessments\n\n\n                 Figure 15. Advantages of DoD Investigative Organizations\xe2\x80\x99 Fraud Risk Assessments\n\n\n                                               Benefits of DoD Investigative Organizations\xe2\x80\x99\n                                                         Fraud Risk Assessments\n                          \xe2\x80\xa2\t Identify high-risk areas and trends.\n\n                          \xe2\x80\xa2\t Results are used to develop fraud awareness training for employees.\n\n                          \xe2\x80\xa2\t Communicate to senior management high-risk areas and vulnerabilities.\n\n                          \xe2\x80\xa2\t Prioritize and help to plan the use of internal resources.\n\n                          \xe2\x80\xa2\t Communicated to employees \xe2\x80\x93 \xe2\x80\x9cThis is why we are doing what we are doing.\xe2\x80\x9d\n\n                          \xe2\x80\xa2\t Focus fraud efforts on areas of high Congressional interest.\n\n                          \xe2\x80\xa2\t For decentralized organizations, encourage communication and participation from\n                              employees working at contiguous and overseas locations.\n\n\n\n\n                 Navy Exchange Service Command Fraud Risk\n                 Assessment Approach\n                 Navy Exchange Service Command (NEXCOM), Internal Audit representatives\n                 facilitate CSAs. A CSA is a process through which internal control effectiveness\n                 is examined and assessed to provide reasonable assurance that all business\n                 objectives are met. Previous CSA review areas include cash and credit card\n                 operations, purchase cards, and inventory controls. \xe2\x80\x85At the start of each assessment,\n                 Internal Audit conducts fraud awareness training. The training emphasizes a\n                 range of topics that include fraud indicators and key components of internal\n                 controls.17 Representatives from the review areas are also provided information\n                 about the CSA, objectives, and approach.\n\n\n\n\n                 \t 17\t\n                         The Committee of Sponsoring Organizations defines internal control key components as the control environment,\n                         risk assessment, control activities, information and communication, and monitoring.\n\n\n\n\n40 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                             Approaches for Conducting\n                                                                    Entity-Wide Fraud Risk Assessments\n\n\nTo ensure a productive CSA, facilitators emphasize the information in Figure 16 to\nparticipants prior to discussing internal controls and identifying potential control gaps.\n\nFigure 16. Ground Rules\n\n\n                                  CSA Ground Rules\n\n   \xe2\x80\xa2\t Open Communication\n\n   \xe2\x80\xa2\t Involvement and Input from Everyone\n\n   \xe2\x80\xa2\t No Right or Wrong Answers\n\n   \xe2\x80\xa2\t Respect for Everyone\xe2\x80\x99s Opinions and Ideas\n\n   \xe2\x80\xa2\t Open to all Ideas \xe2\x80\x93 Nothing is Considered Too Outrageous\n\n   \xe2\x80\xa2\t No Interrupting\n\n\n\nWhen the assessments are complete, the results are reported to management of\nthe reviewed area. This information provides opportunities to address control gaps\nprior to an audit and helps to mitigate the risk of potential frauds. However, it is\nimportant to remember that CSAs cannot be expected to identify all existing control\ngaps and/or prevent fraud from occurring.\n\n\nCSA Approach for Assessing Fraud Risks\nFigure 17 summarizes the CSA approach for assessing fraud risks. It is important\nthat DoD organizations complete the assessments in the order described to\nmaximize results.\n\n\n\n\n                                                                                         DODIG-2014-094\xe2\x94\x82 41\n\x0cApproaches for Conducting\nEntity-Wide Fraud Risk Assessments\n\n\n                 Figure 17. CSA Fraud Risk Overview\n\n\n                                          CSA Approach for Assessing Fraud Risks\n\n                      1.\t   Identify management\xe2\x80\x99s objectives\n\n                      2.\t   Brainstorm risks\n\n                      3.\t   Map process and controls in place to reduce risks and identify gaps\n                            in controls\n\n                      4.\t   Assess risk\n\n                      5.\t   Formulate risk rankings \xe2\x80\x93 Significance and Likelihood of Occurrence\n\n                      6.\t   Identify potential solutions to address the most significant gaps\n\n\n\n\n                 Risk Rankings\n                 When assessing significance and likelihood of fraud risks, rankings of low,\n                 medium, and high are used by CSA participants. A low risk is considered unlikely\n                 to occur and would not materially impact the attainment of objectives. Medium risks\n                 are considered somewhat likely to happen and could impact the attainment of\n                 objectives. High risks are categorized as likely to occur and would significantly\n                 impact the attainment of objectives. \xe2\x80\x85For example, if an identified risk is likely to occur\n                 and could significantly impact the attainment of an objective, then the risk is\n                 considered high; therefore, controls would need to be put in place to reduce the risk.\n\n\n\n\n42 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                      Approaches for Conducting\n                                                                             Entity-Wide Fraud Risk Assessments\n\n\nExample CSA Risk Ranking\nTable 4 depicts results of a CSA review of vending operations at a DoD retail operation.\n\nTable 4. CSA Risk Ranking Template\n\n             Risks:                         Controls:                             Gaps:\n 1.\t Route drivers pilfer from   Keys                                Gap: Route driver money\n      sales receipts             Supervisor retrieves keys from      bags containing vending sales\n 2.\t Susceptibility of dollar    a lock box located at the Navy      receipts at the end of the day\n      bill changers              Lodge\xe2\x80\x99s administration for the      are not locked.\n                                 vending house exterior door,\n 3.\t Pilfering vending\n      merchandise                office doors and the managers\n                                                                     Gap: Money bag numbers\n                                 lock box. The lock box contains     are not tied to a particular\n 4.\t Misuse of                   master keys for routes to\n      government vehicles                                            vending machine.\n                                 include vending machines,\n 5.\t Time and                    building doors and duplicate\n      Attendance fraud           keys. Route drivers will obtain\n 6.\t Inadequate key control      keys from the red lock box\n                                 located in the clerk\xe2\x80\x99s office for\n 7.\t Inadequate inventory of                                         Gap: Lack of structured dollar\n      vending machines           their respective routes.\n                                                                     bill changer audits.\n 8.\t Inaccurate vending          Drivers\n      warehouse inventory        Drivers pull vending inventory\n                                                                     Gap: Documentation of\n 9.\t Inaccurate vending          merchandise for the day. The        unannounced change fund\n      machine inventory          merchandise is verified by a        counts is not maintained.\n 10.\t Inaccurate vending         vending clerk, supervisor or\n      truck inventory            manager. Route order sheet is\n 11.\t Inadequate staff to        signed by driver and verifier.      Gap: Consider outside\n      support vending            Once verified, driver\xe2\x80\x99s load        training for upper level\n      operations                 their inventory items on            vending management.\n                                 their vending route truck to\n 12.\t Inadequate control         replenish truck inventory and\n      over spoilage\n                                 fill machines.\n 13.\t Truck change funds\n      not properly tracked\n      and controlled\n\n\n\n\n                                                                                                      DODIG-2014-094\xe2\x94\x82 43\n\x0cApproaches for Conducting\nEntity-Wide Fraud Risk Assessments\n\n\n                 Guidance for Audit Organizations Facilitating CSAs\n                 Audit organizations performing work in accordance\n                 with    GAGAS     should      ensure   compliance     with  Audit\n                 GAGAS     2011    independence    requirements         organizations\n                                                                     performing work in\n                 pertaining to the conduct of nonaudit services\n                                                                   accordance with GAGAS\n                 prior to facilitating CSAs. Auditors should     should ensure compliance\n                 review    the    GAGAS    nonaudit    service        with GAGAS 2011\n                 requirements to determine whether providing    independence     requirements\n                                                                  pertaining to the conduct\n                 the service creates a threat to independence,       of nonaudit services\n                 either by itself or in the aggregate with            prior to facilitating\n                 other nonaudit services provided, with respect              CSAs.\n                 to     GAGAS    audits   it   performs.    Auditors   should\n                 document \xe2\x80\x85the \xe2\x80\x85results \xe2\x80\x85of \xe2\x80\x85their \xe2\x80\x85assessments \xe2\x80\x85in \xe2\x80\x85the \xe2\x80\x85work \xe2\x80\x85paper \xe2\x80\x85files.\n\n\n                 Naval Sea Systems Command Fraud\n                 Mitigation Framework\n                 The Naval Sea Systems Command (NAVSEA) entity-wide approach to prevent and\n                 detect acquisition fraud consists of policy, training, and execution processes. Using\n                 an integrated approach, risk mitigation activities are included in policies, oversight\n                 and execution processes, and training efforts across the entire acquisition\n                 continuum. Figure 18 illustrates NAVSEA\xe2\x80\x99s fraud mitigation framework, which is\n                 also referred to as \xe2\x80\x9cCrossfire on Risk.\xe2\x80\x9d\n\n\n\n\n44 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                            Approaches for Conducting\n                                                                                                   Entity-Wide Fraud Risk Assessments\n\n\nFigure 18. NAVSEA Risk Mitigation Framework\n\n                                           Cross\xef\xac\x81re on Risk\n\n                                                           Policy:\n                                                      Commitment to\n                                                    Reduce Fraud Risk\n                                                   Across the Enterprise\n                                                      Command Task\n                                                     to Instill Systems\n                                                  of Accountability within\n                                 Sy AVS SE Inst     NAVSEA Processes\n\n\n                                                                                                        Oversight:\n\n\n\n\n                                                                                 s RA ns\n                                   mp E A, ruc\n                                   Co sium IG G, C ns\n                                    N AV\n\n\n\n\n                                                                               on -F io\n                                     o A O OI tio\n\n\n\n\n                                                                                     M\n                                                                            cti C uct\n                                     mm \xe2\x80\x93 Ins -F\n                                                                                                        NAVSEA OIG\n                                       N\n\n\n\n\n                                                                         tru IG, str\n         Training:\n                                         an Fra truc RAM\n\n\n\n\n                                                                      Ins , O G In\n                                                                                                      Corrective Action\n                                           de ud tio\n                                             r\xe2\x80\x99s Fo ns\n\n\n\n\n                                                                        EA OI\n        NAVSEA OIG                                                                                      Oversight of\n\n\n\n\n                                                                     VS EA\n    Risky Behavior (Ethics)                                                                       Investigation/Inspection\n\n\n\n\n                                                                   NA VS\n                                                   cu\n\n\n\n\n                                                                     NA\n       Training Program                                                                                   Findings\n                                                      s\n\n\n\n     NAVSEA Contracts \xe2\x80\x93                                                                               Partnership with\n  Revised Contracting Policies                            Successful                                     Navy Law\n                                                             Risk                                Enforcement & Acquisition\n   NAVSEA, OIG, C-FRAM                                    Mitigation\n       Fraud Awareness                                                                              Integrity Office (AIO)\n            Training                                                 As ma ne a Self ion E ina   NAVSEA, OIG, C-FRAM\n                                                                      Co Ho nua ifica Ex\n                                         tor eh ers r n\n\n\n\n\n                                                                       se nd nd As ve tio\n                                      ica y B ad tte io\n\n\n\n\n                                                                        m tli l\n\n                                                                                                    Acquisition Fraud \xe2\x80\x93\n                                    nd sk le Le vis\n\n\n\n\n                                                                         ss Ev In se ry ns\n    Revised COR Training                                                   ibl a ve ss 3\n                                 d i Ri ive nt er\n\n\n\n\n                                                                                                     Proactive Review\n                                                 ior p\n\n\n\n\n                                                                              e U lua st m Y\n                               an on \xe2\x80\x9c cut tme /Sup\n\n\n\n\n                                                                               An cert aud\n                                            s\xe2\x80\x9d av hi\n\n\n\n\n       Command Ethics\n                                                    s\n\n\n\n\n                                                                                 Re Fr\n\n\n\n\n                                                                                 nit tion iga ent rs.  (Data Mining),\n                                ng ex oi ns\n\n\n\n\n                                                                                    s O & tio s\n                             ini ite pp tio\n\n\n\n\n           Programs                                                                    ve Re ns             Fraud\n                          tra -s A ina\n                                        e n\n\n\n\n\n                                                                                         rsi vie\n                             On O Nom\n\n\n\n\n                                                                                                             Risk\n                                                                                            t am\n\n\n\n\n                                                                                            gh w\n                                                                                              t\n                                      R\n                                      R\n\n\n\n\n                                                                                                        Assessments\n                                   CO\n                                  C\n\n\n\n\n                                                      Execution:\n                                                   Contracting Officers\n                                       Contracting Officer Representatives (COR)\n                                       Properly Executed Contracting Mechanisms\n                                  Contract Quality Control and Surveillance Mechanisms\n                                   Program Managers & Business Finance Managers\n                                                      Legal Reviews\n                                                   Comptroller Reviews\n                                           Deputy of Small Business Reviews\n                                                 Pre-Award Peer Reviews\n                                               Inspection and Acceptance\n\n\n              Primary Responsibilities:\n                 NAVSEA/Program Executive O\xef\xac\x83ces (PEO) Leadership\n                 NAVSEA OIG\n                 NAVSEA OIG, Contract Fraud Risk Assessment and Mitigation Branch (C-FRAM)\n                 NAVSEA Contracts\n                 PEO/Requirements Holders, Command Sta\xef\xac\x80 Codes\n                 NAVSEA Employees\n\n                      Individual Personal Responsibility at All Organizarional Levels\n          Risk Mitigation must be included in Policies, Oversight and Execution Processes,\n                     as well as Training Across the Entire Acquisition Continuum\n\n\n\n\n                                                                                                                             DODIG-2014-094\xe2\x94\x82 45\n\x0c  Approaches for Conducting\n  Entity-Wide Fraud Risk Assessments\n\n\n  NAVSEA identifies elements of successful acquisition anti-fraud programs, based upon guidance developed by the ACFE. The model also\n  emphasizes the importance of fraud risk assessments as a tool to determine if controls are sufficient to mitigate fraud, waste, and abuse\n  within the organization. The model is illustrated in Figure 19.\n\n  Figure 19. Elements of a Successful Acquisition Anti-Fraud Program\n\n                                                    \xef\x82\x9f   Promote honest and ethical conduct; Report internal violations of the code promptly                       Leadership\n                                                    \xef\x82\x9f   Provide full, fair, accurate, timely and understandable disclosure in reports and documents                  Legal\n                                Code of Ethics      \xef\x82\x9f   Comply with applicable laws, rules, and regulations                                                           OIG\n                                                    \xef\x82\x9f   Be accountable for adherence to the code and the sanctions to be imposed                                   C-FRAM\n\n\n                                                    \xef\x82\x9f   Specific to NAVSEA and its operations; Guide employees through complex issues                             Leadership\n                                    Fraud           \xef\x82\x9f   Establish procedures to govern the escalation of fraud allegations                                        Contracting\n                                 Prevention         \xef\x82\x9f   Service Contract Court; Tripwires; Contract Deep Dives, Procurement Surveillance Program                   C-FRAM\n                                   Policies         \xef\x82\x9f   Provide a channel (hotline) for employees or third parties to report fraud; Provide support and              OIG\n                                                        protection for whistleblowers                                                                               Legal\n\n\n                                                    \xef\x82\x9f   Educate employees regarding the DON/NAVSEA\xe2\x80\x99s code of ethics                                               Contracting\n                               Communication        \xef\x82\x9f   Understand and communicate the protocols for reporting suspicious activity                                  Legal\n                                 & Training         \xef\x82\x9f   Communicate the disciplinary actions that may be taken in the event of fraud                               C-FRAM\n                                                    \xef\x82\x9f   Raise awareness of fraud schemes and scenarios that are specific to command                                  OIG\n\n\n                                                    \xef\x82\x9f Identify common fraud schemes that could occur & fraud schemes that are NAVSEA specific\n                                    Fraud           \xef\x82\x9f Create a road map for future areas to analyze with analytics and determine if controls are sufficient        C-FRAM\n                                     Risk             to mitigate fraud, waste & abuse\n                                                                                                                                                                     OIG\n                                 Assessment         \xef\x82\x9f Provide annual and real-time updates to fraud risk assessment work plan to address change in\n                                                      business environment, acquisitions, current issues, etc\n\n\n                                                    \xef\x82\x9f Rank fraud schemes identified within the risk assessment\n                                                    \xef\x82\x9f Utilize inspection program to test internal controls throughout command; Use Procurement\n                                  Controls            Surveillance Plan to test compliance and processes in contracting                                           Contracting\n                                 Monitoring         \xef\x82\x9f Develop action plans to assess, improve, and/or monitor the controls associated with the risk identified     C-FRAM\n                                                    \xef\x82\x9f Report the results to NAVSEA Leadership; Incorporate results from all back into Fraud Risk Assessment\n\n\n\n                                   Fraud            \xef\x82\x9f Establish investigation protocols; Coordinate remediation action steps                                     NCIS, OIG, AIO\n                                  Response          \xef\x82\x9f Develop investigation protocols for internal and external resources                                         (Investigation\n                                                    \xef\x82\x9f Help set the tone within NAVSEA with respect to fraud                                                      Support: Legal\n                                    Plan                                                                                                                            & C-FRAM)\n\n\n                         C-FRAM\t \xe2\x80\x93\t NAVSEA OIG, Contract Fraud Risk Assessment and Mitigation Branch\n                         DON\t    \xe2\x80\x93\t Department of the Navy\n                         NCIS\t   \xe2\x80\x93\t Naval Criminal Investigative Service\n\n\n\n46 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                             Approaches for Conducting\n                                                                                                    Entity-Wide Fraud Risk Assessments\n\n\nNAVSEA, Office of Inspector General, Contract Fraud\nRisk Assessment and Mitigation Branch, Fraud Risk\nAssessment Approach\nThe NAVSEA organization facilitates fraud risk assessments at local commands,\nleveraging Texas Tech Tech University Systems\xe2\x80\x99 (Texas Tech) perception-based\nfraud risks assessment model.18 However, NAVSEA does not incorporate electronic\npolling within their assessments. All focus groups\xe2\x80\x99 discussions are facilitated by\nthree NAVSEA employees that perform the roles of primary and secondary\nfacilitators and scribes. At the end of the discussions, scribe notes are sent to\nparticipants to ensure accuracy.\n\nPrior to the site visit, department managers are asked to identify a cross section\nof employees to participate in the fraud risk discussions and focus groups.\nMeeting topics include the acquisition process, internal control weaknessess, and\npotential fraud schemes. All focus group members possess a solid understanding\nof fraud indicators and schemes. Employees selected for participation are\nstatistically significant; however, most answers provided by participants and analyzed\nby facilitators are qualitative rather than quantitative.\n\n\nExample Fraud Risk Assessment Results\nDuring one fraud risk assessment, discussions were held with 57 employees\n(approximately 20 percent were civilians) to obtain information about their\nperceived fraud risks. These employees were divided into four focus groups\nrepresenting all major functional areas: Contracts, Finance, and Engineering.\nAdditionally, team members conducted discussions with 1 composite group,\nconsisting of 13 employees from all major functional areas, that were not included\nin the original focus group. Lastly, 14 individual interviews were completed\nwith employees who self-identified as wishing to discuss issues with NAVSEA\nrepresentatives and other employees from major functional areas.\n\nBased on the information obtained from focus groups, composite groups, and\nindividual interviews, the site visit team found common fraud vulnerabilities and\nsuggested mitigation strategies for the Commanding Officer. Table 5 lists the\nfraud vulnerabilities with the mitigation strategies.\n\n\n\n\n\t 18\t\n        Texas Tech\xe2\x80\x99s fraud risk assessment approach is discussed on pages 63 through 66 of this report.\n\n\n\n\n                                                                                                                       DODIG-2014-094\xe2\x94\x82 47\n\x0cApproaches for Conducting\nEntity-Wide Fraud Risk Assessments\n\n\n                 Table 5. Fraud Vulnerabilities and Mitigation Methods\n                          Common Fraud Vulnerabilities                            Mitigation Strategies\n                                                                Assess Managers\xe2\x80\x99 Internal Controls Program Assessable\n                      Possible fraudulent schemes               Units and other processes to determine whether fraud\n                                                                vulnerabilities are identified and mitigated.\n                                                                Review contract surveillance plans on all current and\n                      Contract management                       future contracts. Assess and establish mitigation plans.\n                                                                Cross check with contracts and contracting officer\xe2\x80\x99s\n                      Financial review and payment system       representative to verify costs incurred and work\n                                                                accomplished.\n                                                                Identify and train contracting officer\xe2\x80\x99s representatives\n                                                                and appoint a representative for each contract per\n                      Contractor oversight                      agency regulations. Timely review of invoices in the\n                                                                accounting system.\n\n\n                 If a fraud risk assessment discloses high-risk areas or weak internal controls,\n                 NAVSEA conducts follow-up reviews. A report is sent to local command detailing\n                 the results of each review. See Appendix H for an example report.\n\n\n                 Advantages of the NAVSEA Fraud Risk Assessment Approach\n                 Figure 20 summarizes advantages of the NAVSEA approach for assessing fraud\n                 risks. DoD organizations are encouraged to consider incorporating some, or all,\n                 elements of this method when assessing fraud risks. The approach can also be\n                 modified to suit an entity\xe2\x80\x99s mission, size, or known fraud vulnerabilities.\n\n                 Figure 20. NAVSEA Fraud Risk Assessment Benefits\n\n\n                               Advantages of the NAVSEA Fraud Risk Assessment Approach\n\n                        \xe2\x80\xa2\t The use of small discussion groups encourages participation from\n                            all attendees.\n\n                        \xe2\x80\xa2\t The approach provides opportunities for fraud awareness training and discussion,\n                            to include questions and answer sessions with NAVSEA subject matter experts.\n\n                        \xe2\x80\xa2\t Cross sections of employees from key business areas provide a range of fraud\n                            risk perceptions.\n\n                        \xe2\x80\xa2\t Results of the assessment are provided to the command to assist with\n                            mitigating potential fraud risks.\n\n\n\n\n48 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                         Approaches for Conducting\n                                                                                                Entity-Wide Fraud Risk Assessments\n\n\nProfessional Organization Guidance on Managing the\nBusiness Risk of Fraud\nThe IIA, AICPA, and ACFE worked with subject matter experts in fraud risk\nmanagement and developed a guide titled, \xe2\x80\x9cManaging the Business Risk of Fraud:\nA Practical Guide,\xe2\x80\x9d19 for conducting entity-wide fraud risk assessments. The\nthree organizations identified the following key principles for establishing an\nenvironment to manage an organization\xe2\x80\x99s fraud risk:\n\nPrinciple 1:\t As part of an organization\xe2\x80\x99s governance structure, a fraud risk\n                      management program should be in place, including a written policy\n                      (or policies) to convey the expectations of senior management\n                      regarding managing fraud risk.\n\nPrinciple 2:\tFraud risk exposure should be assessed periodically by the\n                      organization to identify specific schemes and events that the\n                      organization needs to mitigate.\n\nPrinciple 3:\t Prevention techniques to avoid potential fraud risk events should\n                      be established, where feasible, to mitigate possible impacts on the\n                      organization.\n\nPrinciple 4:\t Detection techniques should be established to uncover fraud events\n                      when preventive measures fail or unmitigated risks are realized.\n\nPrinciple 5:\t A reporting process should be in place to solicit input on fraud and a\n                      coordinated approach to investigation and corrective action should be\n                      used to help ensure potential fraud is addressed appropriately and in a\n                      timely manner.\n\n\nThe Fraud Risk Assessment Team\nThe fraud risk assessment team should consist of individuals from within the\norganization with different knowledge, skills, and perspectives. If expertise is not\navailable internally, external participants with expertise in applicable standards,\nkey risk indicators, anti-fraud methodology, control activities, and detection\nprocedures should participate. Within DoD, participation will vary depending on\nthe risk assessment objective. For example, fraud risk assessments that are\ntargeted to evaluate controls related to a procurement cycle will differ from\n\n\t19\t\n       IIA, AICPA, ACFE, \xe2\x80\x9cManaging the Business Risk of Fraud: A Practical Guide,\xe2\x80\x9d not dated.\n\n\n\n\n                                                                                                                   DODIG-2014-094\xe2\x94\x82 49\n\x0cApproaches for Conducting\nEntity-Wide Fraud Risk Assessments\n\n\n                 participants tasked with evaluating retail operations. Figure 21 contains examples\n                 of subject matter experts that should be considered when developing a fraud risk\n                 assessment team.\n\n                 Figure 21. Recruiting Team Members20\n\n\n                                                       Recruiting Subject Matter Experts\n\n                        After establishing your objective, consider recruiting experts such as:\n\n                         \xe2\x80\xa2\t DoD personnel responsible for administering the Managers\xe2\x80\x99 Internal\n                              Control Program,\n\n                         \xe2\x80\xa2\t accounting or financial personnel who are familiar with the financial\n                              reporting processes and internal controls,\n\n                         \xe2\x80\xa2\t nonfinancial           operations         personnel        to     leverage       their      knowledge          of\n                              day-to-day operations and issues within a program or process,\n\n                         \xe2\x80\xa2\t legal and compliance representatives because fraud risk assessments\n                              may identify risks resulting in potential criminal, civil, and regulatory\n                              liability if the fraud or misconduct were to occur,\n\n                         \xe2\x80\xa2\t team members from the auditing and investigations disciplines who\n                              can provide information about internal controls and fraud risks, and\n\n                         \xe2\x80\xa2\t organization management to ensure their commitment to the process\n                              and understanding of fraud risks within their areas of responsibility.\n\n\n\n\n                 Fraud Risk Assessment Approach Exercise\n                 To protect itself from fraud, an organization should understand fraud risk and\n                 the specific risks that directly or indirectly apply to the organization. A structured\n                 fraud risk assessment, tailored to the organization\xe2\x80\x99s size, complexity, and goals,\n                 should be performed and updated periodically. The assessment may be integrated\n                 with an overall organizational risk assessment or performed as a stand-alone\n                 exercise, but should include risk identification, risk likelihood, and significance,\n                 and risk response. Organizations should develop a framework to document their\n                 fraud risk assessment, refer to Table 6 for an example.\n\n                 \t20\t\n                        DoD OIG, Office of Audit Policy and Oversight, modified this information from IIA, AICPA, ACFE, \xe2\x80\x9cManaging the Business\n                        Risk of Fraud: A Practical Guide,\xe2\x80\x9d not dated.\n\n\n\n\n50 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                                 Approaches for Conducting\n                                                                                                        Entity-Wide Fraud Risk Assessments\n\n\nRisk Identification\nFraud risk identification includes gathering external information from regulatory\nbodies, industry sources, and professional organizations. Internal sources for\nidentifying fraud risks should include interviews and brainstorming with personnel\nrepresenting a broad spectrum of activities within the organization, review of\nwhistleblower complaints, and analytical procedures. An effective fraud risk\nidentification process includes an assessment of the incentives, pressures, and\nopportunities to commit fraud. The fraud risk assessment process should consider\nthe potential override of controls by management as well as areas where controls\nare weak or there is a lack of segregation of duties.\n\n\nRisk Likelihood and Significance\nAssessing the likelihood and significance of each potential fraud risk is a\nsubjective process. All fraud risks are not equally likely, nor will all frauds have a\nsignificant impact on every organization. Assessing the likelihood and significance\nof identified inherent risks21 allows the organization to manage its fraud risks and\nimplement preventive and detective procedures. It is important to first consider\nfraud risks to the organization on an inherent basis or without consideration of\nknown controls. By taking this approach, the fraud risk assessment team is better\nable to consider all relevant fraud risks and design controls to address the risks.\nAfter mapping fraud risks to relevant controls, certain residual risks will remain,\nincluding the risk of management\xe2\x80\x99s override of established controls. The team\nmust evaluate the potential significance of those residual risks and decide on the\nnature and extent of the fraud preventive and detective controls and procedures\nto address such risks.\n\n\nLikelihood\nThe assessment of the likelihood of a fraud risk occurring generally includes\nanalyzing the following information: past instances of a specific type of fraud and\nthe prevalence of the fraud risk within the organization\xe2\x80\x99s industry. Other related\nfactors that should be considered include the number of individual transactions,\nthe complexity of the risk, and the number of people involved in reviewing or\napproving the process. Organizations can categorize the likelihood of potential\nfrauds occurring using any reasonable approach; however, three categories are\ngenerally adequate: remote, reasonably possible, and probable.\n\n\n\t21\t\n       Inherent risk is the risk before considering any internal controls in place to mitigate such risks. IIA, AICPA, ACFE,\n       \xe2\x80\x9cManaging the Business Risk of Fraud: A Practical Guide,\xe2\x80\x9d not dated.\n\n\n\n\n                                                                                                                               DODIG-2014-094\xe2\x94\x82 51\n\x0cApproaches for Conducting\nEntity-Wide Fraud Risk Assessments\n\n\n                 Significance\n                 The assessment of the significance of a fraud risk should include not only\n                 financial statement and monetary significance, but also significance to an\n                 organization\xe2\x80\x99s operations and reputation, as well as criminal, civil, and regulatory\n                 liability. Organizations can categorize the significance of potential frauds in\n                 as many categories as deemed reasonable, but three categories are generally\n                 adequate: inconsequential, more than inconsequential, and material.\n\n\n                 Incentives and Pressures\n                 As part of the risk assessment process, the organization evaluates the incentives\n                 and pressures on individuals and departments and should use the information\n                 gained in that process to assess which individuals or departments were most likely\n                 to have incentive to commit a fraudulent act and, if so, by what means. This\n                 information can be summarized into the fraud risk assessment template and can\n                 help the organization design appropriate risk responses, if necessary.\n\n\n                 Risk Response\n                 Risk tolerance varies from organization to organization. Senior management or\n                 those charged with governance set the organization\xe2\x80\x99s risk tolerance level taking\n                 into consideration its responsibilities to all stakeholders. Some organizations want\n                 only to address fraud risks that could have a material financial statement impact,\n                 other organizations want to have a more robust fraud response program.\n                 Many organizations will state that there is a \xe2\x80\x9czero tolerance\xe2\x80\x9d policy with respect\n                 to fraud. However, there may be certain fraud risks that an organization\n                 considers   too   expensive   and   time-consuming     to   address      through   controls.\n                 Consequently, the organization may decide not to put controls in place to address\n                 such risks. If a fraud is discovered, zero tolerance for fraud would be applied.\n\n\n\n\n52 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                Approaches for Conducting\n                                                                       Entity-Wide Fraud Risk Assessments\n\n\nFigure 22 provides a summary of the professional organizations\xe2\x80\x99 key elements of\nfraud risk assessments. DoD organizations are encouraged to use this summary as\na tool to educate employees and managers about the fraud risk assessment process.\n\nFigure 22. Key Elements of Fraud Risk Assessments\n\n\n                   IIA, AICPA, ACFE, \xe2\x80\x93 Summary of Key Elements\n                             of Fraud Risk Assessments\n\n  1.\t   Identify   inherent     fraud   risk \xe2\x80\x93 Gather    information       to   obtain   the\n        population of fraud risks that could apply to the organization. Included\n        in this process is the consideration of all types of fraud schemes and\n        scenarios; incentives, pressures, and opportunities to commit fraud; and\n        information technology fraud risks specific to the organization.\n\n  2.\t   Assess likelihood and significance of inherent fraud risk \xe2\x80\x93 Assess\n        the relative likelihood and potential significance of identified fraud risks\n        based on historical information, known fraud schemes, and interviews\n        with staff, including process owners.\n\n  3.\t   Respond to reasonably likely and significant inherent and residual\n        fraud risks \xe2\x80\x93 Decide what the response should be to address the\n        identified risks and perform a cost-benefit analysis of fraud risks over\n        which the organization wants to implement controls or specific fraud\n        detection procedures.\n\n\n\n\n                                                                                               DODIG-2014-094\xe2\x94\x82 53\n\x0c  Approaches for Conducting\n  Entity-Wide Fraud Risk Assessments\n\n\n  Example Fraud Risk Assessment Framework\n  Organizations should document the results of the fraud risk assessment. Table 6 illustrates how the elements of fraud risk identification,\n  assessment, and response are applied. For illustrative purposes, some information in this example was developed by the DoD OIG, Office of Audit\n  Policy and Oversight, and also adapted from the State of North Dakota\xe2\x80\x99s, Fraud Risk Assessment Guidance.22 Appendix E contains another example\n  illustrating potential revenue recognition risks within financial reporting.\n\n  Table 6. Example Fraud Risk Assessment\n       Identified                                                                                                                  Controls\n                                                                   People and/or            Existing Anti-Fraud\n    Fraud Risks and           Likelihood       Significance                                                                     Effectiveness           Residual Risk            Fraud Risk Response\n                                                                    Department                    Controls\n        Schemes                                                                                                                 Assessment\n    Contract Award\n    Contracts                 Probable         Material           Contracting            Multiple supervisory              Tested by                Potential for            Management monitors\n    improperly                                                    Official               reviews are required for          management.              bribery or kickbacks     contract awards. Employees\n    awarded                                                                              each contract award.                                       to contracting           are aware of consequences\n                                                                                                                                                    employees. Bribery       of unethical behavior to\n                                                                                                                                                    or kickbacks would       include termination and\n                                                                                                                                                    be difficult to detect   other adverse actions.\n                                                                                                                                                    during management\n                                                                                                                                                    reviews.\n    Unauthorized              Probable         Material           Contracting            Supervisory reviews of            Files are periodically   Adequately mitigated     Fraud risk response not\n    or missing                                                    Officer                all awards are required.          reviewed by internal     by controls.             required, adequately\n    approvals                                                                                                              auditors and                                      mitigated by controls.\n                                                                                                                           independent staff.\n    Missing or                Probable         Material           Contracting            All records are                   System controls are      Possible override        Information technology\n    incomplete file                                               Officer                maintained                        in place to monitor      of system controls       department conducts routine\n    documentation                                                                        electronically. System            awards.                  by contracting           checks to test for control\n                                                                                         will not allow the                                         employees.               overrides.\n                                                                                         contract award to\n                                                                                         process until all\n                                                                                         documentation is in the\n                                                                                         electronic record.\n\n\n\n\n  \t22\t\n         Numerous audit organizations have also adapted this framework as a tool to assess the risk of fraud when performing their work.\n\n\n54 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                              Approaches for Conducting\n                                                                     Entity-Wide Fraud Risk Assessments\n\n\nAustralian National Audit Office Fraud Risk\nManagement Process\nThe Australian National Audit Office\xe2\x80\x99s fraud risk assessment process involves\ncommunicating and consulting with relevant employees at all levels within\nthe organization during all stages of the risk assessment. This communication\naddresses issues relating to the risk itself, its causes, its impact (if known), and the\nmeasures taken to address it. The approach ensures that those accountable\nfor implementing the risk management process and stakeholders understand the\nbasis of decision making and the reasons particular actions were required.\n\nEstablishing the context involves articulating the organization\xe2\x80\x99s objectives and\nthe external and internal parameters to be taken into account when managing risk.\nThis process also establishes the scope and risk criteria for the remaining process.\n\nIdentifying fraud risks requires organizations to consider both internal and\nexternal fraud risks. Organizations are also encouraged to consider fraud risks that\ncould emerge in the future, for example, fraud risks arising from a change to an\ninformation technology system or other significant changes in business processes.\nIt is also important to consider fraud risks when evaluating the design of a new\nsystem or program. Identifying fraud risks at the system and program levels assists\nthe organizations\xe2\x80\x99 efforts to assess overall organizational risk and to reflect these\nrisks in their strategic planning objectives.\n\nBecause fraud is characterized by dishonesty and deception, the identification of\nfraud risks requires a skeptical mindset and involves asking probing questions\nduring brainstorming such as:\n\n         \xe2\x80\xa2\t How might a fraudster exploit weaknesses in the systems of controls?\n\n         \xe2\x80\xa2\t How could a fraudster override or circumvent controls?\n\n         \xe2\x80\xa2\t What could a fraudster do to conceal fraud?\n\nDocumenting and assigning ownership of the risks and controls is important.\nThe business area responsible for managing a particular fraud risk is identified and\nthe timeframe for implementing any remedial action is clearly documented in risk\nmanagement plans.\n\nIt is also important to monitor and review the fraud risk assessment regularly.\nA fraud risk assessment should be performed at least every 2 years and coincide\nwith a review of the organization\xe2\x80\x99s overall fraud control plan. When an entity\n\n\n                                                                                        DODIG-2014-094\xe2\x94\x82 55\n\x0cApproaches for Conducting\nEntity-Wide Fraud Risk Assessments\n\n\n                 undergoes a substantial change in structure or function, or when there is a\n                 significant transfer of responsibilities, the entity must undertake another fraud\n                 risk assessment in relation to the changed functions. An organization could also\n                 consider implementing an ongoing program to update the fraud risk assessment\n                 more frequently.\n\n                 Organizations should actively monitor and review their identified fraud controls.\n                 Changes in the effectiveness or applicability of these fraud controls can impact\n                 the organization\xe2\x80\x99s fraud risk assessment to either increase or decrease fraud risk.\n                 Figure     23   illustrates                  the     Australian     National    Audit                Office\xe2\x80\x99s     fraud      risk\n                 management process.\n\n                 Figure 23. Australian National Audit Office Fraud Risk Management Process\n\n\n\n                                                                      Establishing the Context\n\n\n\n\n                                                                         Risk Identification        Risk Assessment\n                                            Risk Assessment\n\n\n\n\n                      Communication                                                                                              Monitoring\n                           and                                        Establishing the context\n                                                                           Risk Analysis                                           and\n                       Consultation                                                                                               Review\n\n\n\n\n                                                                          Risk Evaluation\n\n\n\n\n                                                                          Risk Treatment\n\n\n\n\n                                                                    Documented Risk Assessment\n\n\n\n                 Source: Joint Australian/New Zealnad International Organization for Standardization,\n                 Standard 3100:2009, Risk Management Principles and Guidelines\n\n\n56 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                           Approaches for Conducting\n                                                                                  Entity-Wide Fraud Risk Assessments\n\n\nAustralian National Audit Office Fraud Risk\nAssessment Approach\nThe Australian National Audit Office\xe2\x80\x99s fraud risk assessment approach provides a\nmethodology to evaluate a program, function, or business area. Organizations begin\nthe process by describing a specific fraud risk. \xe2\x80\x85At the end of the assessment, actions\nare developed to address each risk area. When using this methodology, it is\nimportant that organizations perform each of the steps in the sequence described in\nTable 7.\n\nTable 7. Australian National Audit Office Fraud Risk Assessment Approach\n\n    Fraud Risk       The fraud risk is described; ensuring that both the cause and impact of the\n    Description      fraud risk happening is included in the description provided.\n                     The fraud risk factors are those conditions or actions which are most likely to\n    Fraud Risk       cause the fraud risk to occur. This is generally a brief list of likely scenarios that\n      Factors        could occur.\n                     The inherent likelihood provides an indication of how often an identified risk\n     Inherent        might occur in the absence of any controls. This is generally measured using a\n    Likelihood       five-point scale (that is, almost certain, likely, possible, unlikely, rare).\n                     The inherent risk rating provides a ranking for an identified risk once the\n   Inherent Risk     likelihood and consequence of the risk has been considered in the absence of\n      Rating         any controls. This is generally measured using a five-point scale (that is, severe,\n                     high, medium, low, very low).\n                     The key controls refer to those controls currently established within the\n   Key Controls      entity to minimize the likelihood and consequence of the identified fraud risk\n    Identified       from happening.\n                     The residual likelihood provides an indication of how often an identified risk\n     Residual        might occur when taking into consideration the effectiveness or otherwise of\n    Likelihood       the existing controls. This is generally measured using a five-point scale (that\n                     is, almost certain, likely, possible, unlikely, rare).\n                     The residual consequence provides an indication of how serious the\n                     consequences would be if an identified risk occurred when taking into\n     Residual        consideration the effectiveness or otherwise of the existing controls. This is\n   Consequence       generally measured using a five-point scale (that is, extreme, major, moderate,\n                     minor, insignificant).\n                     The residual risk rating provides a ranking for an identified risk once the\n                     likelihood and consequence of the risk has been considered after taking\n   Residual Risk     into consideration the effectiveness of the existing controls. This is generally\n      Rating         measured using a five-point scale (that is, severe, high, medium, low,\n                     very low).\n    Fraud Risk       The fraud risk owner is the individual/group within the entity with\n      Owner          accountability for managing the identified fraud risk.\n                     The action required relates to the identification of any further actions that\n  Action Required    the entity must undertake in relation to the identified fraud risk (that is, new\n                     controls to be established).\n\n\xe2\x80\x9cFraud Control in Australian Government Entities, Better Practice Guide, Australian National Audit\nOffice and KPMG,\xe2\x80\x9d March 2011, pages 36, 37, and 91.\n\n\n\n\n                                                                                                              DODIG-2014-094\xe2\x94\x82 57\n\x0cApproaches for Conducting\nEntity-Wide Fraud Risk Assessments\n\n\n                 Association of American Medical Colleges\n                 The Internal Audit Division of the Association of American Medical Colleges (AAMC)23\n                 facilitates an annual enterprise-wide risk assessment, which includes an assessment\n                 of fraud risk. The organization\xe2\x80\x99s 35 auditable units participate in the review, which\n                 includes representatives from Finance, Information Technology, and Human Resources.\n                 The assessment also provides an opportunity for Internal Audit to educate other\n                 employees about fraud, and increase fraud awareness within the organization.\n\n\n                 Quantifiable Fraud Risk Assessment\n                 Both quantifiable and qualitative approaches are used to identify and evaluate\n                 fraud risks. For the quantifiable ranking, numeric values are assigned, ranging from\n                 a low of one to a high of five. Participants are also required to consider impact\n                 and opportunity when rating fraud risk, along with inherent and residual risks.\n                 For example, fraud risk in the Finance Department would be rated higher and have\n                 a more significant impact on the organization when compared to fraud risk at the\n                 on-site library. All business unit representatives are required to agree on the final\n                 risk rankings assigned. When the client rates the fraud risk as low (because of\n                 the presence of mitigating controls), but the auditors believe that the risk may be\n                 higher (for example, based on previous audits or audit experience), the auditors\n                 adjust the fraud risk scores up or down, as needed, after the business units complete\n                 their assessments.\n\n                 During the fraud risk assessment discussions, Internal Audit asks business\n                 unit representatives about ways that fraud could occur versus where fraud is\n                 occurring. This approach helps to stimulate discussion and causes people to think\n                 about fraud. Additional topics discussed include opportunities for management\n                 fraud, employee fraud, unauthorized use or disclosure of sensitive information,\n                 theft of assets, and other illegal acts.\n\n                 Table 8 depicts examples of the business units and risk attributes that are\n                 evaluated            during        the     assessment.           Business          units/auditable            units       with\n                 interrelated functions and objectives are grouped in clusters.\n\n\n\n\n                 \t23\t\n                        The AAMC is a nonprofit group of medical schools, hospitals, and academic societies. The organization provides assistance\n                        for members in the areas of education, research, and patient care.\n\n\n\n\n58 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                                                                             Approaches for Conducting\n                                                                                                                                                    Entity-Wide Fraud Risk Assessments\n\n\nTable 8. Business Units and Risk Attributes\n\n\n\n\n                                                                   Process and Operational\n\n\n\n\n                                                                                                                                                                           Prior Audit Results\n                                                                                                          Environmental\n\n\n\n\n                                                                                                                                                            Reputational\n                                                                                                                          Governance\n\n\n                                                                                                                                               Compliance\n\n\n\n\n                                                                                                                                                                                                                    Final Rating\n                                                                                             Technology\n                                           Personnel\n\n\n\n\n                                                                                                                                                                                                         Adjusted\n                                                       Financial\n\n\n\n\n                                                                                                                                       Fraud\n\n\n\n\n                                                                                                                                                                                                 Total\n Auditable\n Unit         Audit Name\n Academic Affairs & Programs (Academic Affairs)\n              Academic Affairs                                                                                                                                                                    0\n Communications (Public Policy & Strategic Relations)\n              Communications                                                                                                                                                                      0\n Diversity Policy & Programs\n              Diversity                                                                                                                                                                           0\n Finance (Operations and Services)\n              General Accounting                                                                                                                                                                  0\n              Payroll                                                                                                                                                                             0\n Global Health Learning Opportunities (Operations and Services)\n              Global Health                                                                                                                                                                       0\n              Learning Opportunities\n Government Relations (Public Policy and Strategic Relations)\n              Government Relations                                                                                                                                                                0\n Health Care Affairs\n              Health Care Affairs                                                                                                                                                                 0\n Human Resources (Operations and Services)\n              Benefits                                                                                                                                                                            0\n              Human Resources                                                                                                                                                                     0\n              Compensation                                                                                                                                                                        0\n Information Technology (Operations and Services)\n              Data Integrity                                                                                                                                                                      0\n              Information                                                                                                                                                                         0\n              Technology Services\n              Disaster Recovery                                                                                                                                                                   0\n              Information Technology\n              Security/General                                                                                                                                                                    0\n              Computer Controls\n\n              Reminder Sent                                                                   Response Received\n\n\n\n\n                                                                                                                                                                                                                               DODIG-2014-094\xe2\x94\x82 59\n\x0cApproaches for Conducting\nEntity-Wide Fraud Risk Assessments\n\n\n                 Qualitative Fraud Risk Assessment\n                 The qualitative component of the fraud risk evaluation is an on-line Risk\n                 Assessment Survey, which is sent to all entity-wide risk assessment participants.\n                 Survey respondents have the option of identifying themselves or submitting their\n                 responses anonymously. The survey approach helps fill gaps in the quantifiable\n                 fraud risk assessment rankings. For example, the quantifiable assessments provide\n                 Internal Audit with numeric risk rankings, while the survey method provides insight\n                 regarding the thoughts behind the numbers. The survey also gives information\n                 on internal control improvement opportunities within the organization.\n\n                 Figure 24 is an example of an online Risk Assessment Survey. The survey is\n                 intended for illustrative purposes only. DoD organizations are encouraged to\n                 develop surveys designed to target their specific programs, operations, or\n                 fraud vulnerabilities.\n\n                 Figure 24. Survey Questions\n\n\n                                    Example Fraud Risk Assessment Survey Questions\n\n                      1.\t   In your opinion, what are the top risks or potential obstacles to achieving\n                            your operational objectives within your unit?\n\n                      2.\t   In your opinion, what are the top risks or potential obstacles to achieving\n                            your objectives within your cluster?\n\n                      3.\t   In your opinion, what are the top risks or potential obstacles that may\n                            prevent the organization from achieving our stated objectives?\n\n                      4.\t   Is there an obstacle, challenge or risk that \xe2\x80\x9ckeeps you up at night?\xe2\x80\x9d If so,\n                            what are they, and why do they concern you?\n\n\n\n\n60 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                               Approaches for Conducting\n                                                                      Entity-Wide Fraud Risk Assessments\n\n\n\n         Example Fraud Risk Assessment Survey Questions (cont\xe2\x80\x99d)\n\n5.\t   Generally, where do you feel your unit is in terms of maturity of the\n      internal control structure?\n\n      \xe2\x80\xa2\t Initial: Controls of risks are ad-hoc, not in place, not working as intended\n         or are easily overlooked or overruled.\n\n      \xe2\x80\xa2\t Repeatable: Process to control risks is established and repeating, and controls\n         documentation is lacking.\n\n      \xe2\x80\xa2\t Defined: Process to control risks is established, repeating, documentation is in\n         place to support the process.\n\n      \xe2\x80\xa2\t Managed: Risks are managed systemically and reviewed at the\n         enterprise level.\n\n      \xe2\x80\xa2\t Optimized: Controls of risk are continuously improving and managed at\n         an enterprise level.\n\n6.\t   Generally, how is your unit performing in relation to your stated objectives?\n\n      \xe2\x80\xa2\t Always or nearly always, achieve objectives timely and without issue.\n\n      \xe2\x80\xa2\t Periodically, our objectives are met timely and without issues.\n\n      \xe2\x80\xa2\t It is often difficult to achieve process objectives timely and without issue.\n\n      \xe2\x80\xa2\t Rarely are our objectives able to be met timely and without issue.\n\n7.\t   If you have any comments on risk or this survey, please add them below.\n\n\n\n\n                                                                                            DODIG-2014-094\xe2\x94\x82 61\n\x0cApproaches for Conducting\nEntity-Wide Fraud Risk Assessments\n\n\n                 Advantages of Fraud Risk Assessment Surveys\n                 Figure 25 highlights the advantages of using fraud risk assessment surveys.\n                 To maximize survey benefits, DoD organizations should ensure that they are not\n                 too long or time-consuming to complete. It is also important to request\n                 participation from both supervisory and nonsupervisory employees in the survey\n                 process. All participants should be reassured that their identities and responses\n                 remain confidential.\n\n                 Figure 25. Survey Advantages.\n\n\n                                             Advantages of Fraud Risk Assessment Surveys\n\n                        Fraud risk assessment surveys provide employees with ways to:\n\n                         \xe2\x80\xa2\t Report fraud and/or fraud risks without their co-workers and supervisors in the\n                              same room or meeting.\n\n                         \xe2\x80\xa2\t Identify fraud and/or fraud risks that may be occurring within their\n                              business units.\n\n                         \xe2\x80\xa2\t Report suspect activity happening in other business units.\n\n\n\n\n                 Smart Insights, LLC Fraud Risk Assessment Approach\n                 The company24 uses an Internal Fraud Risk Assessment Questionnaire that is\n                 intended to help identify gaps in an organization\xe2\x80\x99s anti-fraud program and\n                 processes. Benefits relating to this assessment approach are:\n\n                                \xe2\x80\xa2\t provides an inexpensive, cost-effective means of identifying areas that are\n                                    vulnerable to fraud,\n\n                                \xe2\x80\xa2\t helps to proactively identify areas that are susceptible to fraud that could\n                                    adversely impact an entity\xe2\x80\x99s financial position and/or reputation,\n\n                                \xe2\x80\xa2\t pinpoints opportunities to save money or drive operational improvements,\n\n                                \xe2\x80\xa2\t detects internal controls and/or processes that need improvements, and\n\n                                \xe2\x80\xa2\t increases the confidence of the organizations clients and stakeholders.\n\n                 \t24\t\n                        Smart Insights, LLC, is a consulting firm based in the District of Columbia. The company specializes in procurement and\n                        supply chain management, human capital, and organizational risk.\n\n\n\n\n62 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                           Approaches for Conducting\n                                                                  Entity-Wide Fraud Risk Assessments\n\n\nParticipants are instructed to carefully review each question prior to assigning\na final score, take their time developing their response, and provide comments or\nnotes, as needed.\n\nThe following scoring legend is used to evaluate each question:\n\n         \xe2\x80\xa2\t A score of 0 represents an entity that has not implemented any of the\n           recommendations.\n\n         \xe2\x80\xa2\t A score of 100 represents an entity that has designed and implemented\n           processes, but has not tested them within the past twelve months.\n\n         \xe2\x80\xa2\t A score of 200 is given to an entity that has designed, implemented,\n           tested, and determined the processes to be operating effectively within\n           the most recent 12-month period.\n\n         \xe2\x80\xa2\t Any score less than 200 serves as a reminder that there is an opportunity\n           for improvement.\n\nFor illustrative purposes, responses to the Internal Control Questionnaire were\nprepared using information contained in Department of the Navy, Bureau of\nMedicine and Surgery, Instruction 5370.04, \xe2\x80\x9cNavy Medicine Anti-Fraud Program,\xe2\x80\x9d\nApril 1, 2010 (see Appendix F). The scores assigned were based on fictitious\ninformation and are not related to a specific DoD organization or program.\n\n\nTexas Tech Fraud Risk Assessment Approach\nMembers of the Internal Audit Department oversee entity-wide fraud risk\nassessments at Texas Tech locations. As facilitator\xe2\x80\x99s, the auditor\xe2\x80\x99s role consists\nof gathering information about fraud risks and reporting the results of each\nassessment to senior management. The fraud risk assessments are conducted\nin accordance with the International Standards for the Professional Practice of\nInternal Auditing. Related benefits are educating employees about fraud and\nincreasing fraud awareness at participating campuses.\n\n\nThe Perception-Based Fraud Risk Assessment Approach\nTexas Tech\xe2\x80\x99s fraud risk assessment process was developed by seasoned audit\nstaff.   Internal Audit named their methodology the Perception-Based Approach\nfor Assessing Fraud Risk. Experienced employees and subject matter experts\nfrom each campus are selected to participate in fraud risk ranking sessions.\n\n\n\n\n                                                                                     DODIG-2014-094\xe2\x94\x82 63\n\x0cApproaches for Conducting\nEntity-Wide Fraud Risk Assessments\n\n\n                 A cross-cutting methodology is used to identify employees representing a range of\n                 departments that includes accounting, payroll, accounts receivable, and business\n                 managers from various components.\n\n                 During assessment planning, the audit team uses the ACFE Fraud Examiner\xe2\x80\x99s Manual\n                 to select fraud schemes for discussion and risk ranking for each session. This\n                 information is included in a Glossary of Fraud Schemes, which is not provided\n                 to participants in advance. At the start of each fraud risk assessment, fraud\n                 statistics from the most recent ACFE report on occupational fraud25 are also\n                 discussed. Additionally, facilitators explain each fraud scenario in the Glossary\n                 of Fraud Schemes to participants. To educate employees about fraud, auditors\n                 use real-life examples to demonstrate how each fraud type could occur at their\n                 location and provide information about relevant fraud indicators. The employee\xe2\x80\x99s\n                 role in assisting with detecting and preventing fraud is also emphasized.\n\n\n                 Electronic Polling Software Results\n                 During one Texas Tech fraud risk assessment, the auditors initially focused on\n                 schemes related to corruption, asset misappropriation, and financial statement\n                 fraud. Nonfinancial fraud schemes were purposely excluded because they planned\n                 to focus on this type of fraud when facilitating future assessments. Financial\n                 statement fraud was also eliminated because most of the pressures and incentives\n                 related to private companies and did not exist in an academic environment. Other\n                 criteria used to identify the fraud schemes included:\n\n                                \xe2\x80\xa2\t likelihood of occurrence\n\n                                \xe2\x80\xa2\t auditors\xe2\x80\x99 prior knowledge and experience with fraud at the location\n\n                 The engagement consisted of nine risk assessment sessions where the perceptions\n                 of 52 Texas Tech employees regarding the likelihood, pervasiveness, materiality,\n                 and reputational risks of 24 different types of fraud schemes were polled. After each\n                 fraud scheme was explained, the participants ranked the schemes using electronic\n                 polling software.\n\n                 Figure 26 depicts a heat map26 fraud risk perceptions of the Texas Tech\n                 Administration employees who provided input for the fraud risk assessment.\n\n\n                 \t25\t\n                        The ACFE\xe2\x80\x99s \xe2\x80\x9cReport to the Nations on Occupational Fraud and Abuse,\xe2\x80\x9d details the survey results of Certified Fraud\n                        Examiners that were requested to provide information on fraud cases that met specific criteria. The data is\n                        compiled in a comprehensive report and offeres insights about prevention and detection methods.\n                 \t26\t\n                        A heat map is defined as a two-dimensional representation of data in which values are represented by colors.\n                        A simple heat map provides an immediate visual summary of information. Source: SearchBusinessAnalytics.com\n\n\n\n\n64 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                                 Approaches for Conducting\n                                                                                                        Entity-Wide Fraud Risk Assessments\n\n\n       Figure 26. Example Texas Tech Heat Map\n\n\n\n\n                                                           Inventory Misuse\n\n\n\n                                                            Expense\n                              High\n\n\n\n\n                                                     Reimbursement\n                                                           Schemes\n\n                                                                                    Billing Schemes\nLikelihood & Pervasivemenss\n\n\n\n\n                                                                Inventory Larceny          Con\xef\xac\x82icts of Interest\n\n                                                          Cash Larceny                   Bribery & Incentives\n                                                                               Payroll\n                                                                               Schemes\n                                                         Check Tampering\n                                                   Register\n                                             Disbursements          Cash\n                                                                    Skimming\n                              Low\n\n\n\n\n                                                          Low                                         High\n                                                                   Materiality & Reputational Risk\n\n\n                              u\t Red \xe2\x80\x93 Perceived to have high likelihood and probability as well as high materiality and\n                                     reputational risk\n                              u\t Yellow \xe2\x80\x93 Perceived to have high likelihood and probability, but a low materiality and\n                                     reputational risk\n                              u\t Green \xe2\x80\x93 Perceived to have a low likelihood and probability and a low materiality and\n                                     reputational risk\n\n\n\n\n                                                                                                                           DODIG-2014-094\xe2\x94\x82 65\n\x0cApproaches for Conducting\nEntity-Wide Fraud Risk Assessments\n\n\n                 Advantages of the Perception-Based Fraud Risk\n                 Assessment Approach\n                 Figure 27 highlights the benefits of Texas Tech\xe2\x80\x99s Perception-Based Approach for\n                 Assessing     Fraud    Risk.    DoD      organizations   should   consider   implementing\n                 electronic polling software, or comparable technology, when performing fraud\n                 risk assessments. Similar to online surveys, both approaches allow anonymous\n                 responses from employees.\n\n                 Figure 27. Benefits of the Texas Tech Approach\n\n\n                                       Benefits of the Perception-Based Fraud Risk\n                                                  Assessment Approach\n                      \xe2\x80\xa2\t Electronic    polling   allows    participants   to   remain   anonymous   when\n                         evaluating fraud risks. Because people may not be comfortable or\n                         open discussing fraud in the presence of their managers, anonymity\n                         encourages more truthful responses.\n\n                      \xe2\x80\xa2\t Live interaction helps facilitators gauge participants\xe2\x80\x99 understanding of\n                         the fraud schemes and indicators before risk rankings are submitted.\n\n                      \xe2\x80\xa2\t The polling software can be embedded within Fraud Awareness Briefings\n                         to obtain additional information about employee\xe2\x80\x99s fraud perceptions.\n                         This data can be analyzed to identify trends and compare results at\n                         different business units within an entity.\n\n\n\n                 Additionally, electronic polling enables a greater number of employees to\n                 participate in the fraud risk assessment process. As a result, more information is\n                 received, in less time, when compared to meetings with small groups, or one-on-one\n                 discussions about fraud risks.\n\n\n\n\n66 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                           Approaches for Conducting\n                                                                  Entity-Wide Fraud Risk Assessments\n\n\nGrant Thornton Approach for Enterprise\nRisk Management\nA fraud risk assessment is an integral part of enterprise-wide risk assessment.\nIt is the responsibility of management to identify, measure, and reduce fraud risks\nto acceptable levels. As part of an ongoing, systematic, and recurring enterprise fraud\nrisk assessment, the fraud risk assessment should consider internal and external\nfraud risks at all levels enterprise-wide. Additionally, it should prioritize fraud risk\nby significance, likelihood, and exposure.\n\nThe following information describes the five tasks that should be performed when\ndeveloping a successful enterprise risk management program.\n\n\nTask 1 \xe2\x80\x93 Establish a Framework\nTo establish the framework and governance structure the organization should\ncollect and review information regarding the organization, including organization\nstructure, roles and responsibilities, policies and procedures, audit reports,\nexisting enterprise risk management documentation, and other organizational\nartifacts. After reviewing these materials, the agency should perform interviews\nwith stakeholders, focusing on key risk areas, including organizational, financial,\npolitical, technological, market, legal, and security. Figure 28 describes the benefits\nof conducting interviews with stakeholders.\n\nFigure 28. Interview Benefits\n\n\n                   Benefits of Interviews with Key Stakeholders\n\n  Through interviews, the organization can:\n\n   \xe2\x80\xa2\t Determine risk indicators.\n\n   \xe2\x80\xa2\t Determine the acceptable levels of risk.\n\n   \xe2\x80\xa2\t Determine the risk culture.\n\n   \xe2\x80\xa2\t Identify existing risk management processes and policies.\n\n   \xe2\x80\xa2\t Determine the best method to report risk.\n\n   \xe2\x80\xa2\t Identify and assess the existing control environment, and\n\n   \xe2\x80\xa2\t Identify who is accountable for risk management.\n\n\n\n\n                                                                                       DODIG-2014-094\xe2\x94\x82 67\n\x0cApproaches for Conducting\nEntity-Wide Fraud Risk Assessments\n\n\n                 Using the information collected, the organization should develop the components\n                 of the framework, identify a governance structure that will complement the\n                 organization   and   culture,   and   develop   the   enterprise   risk   management\n                 architecture needed to support the program. Once the framework and governance\n                 structure are defined, the organization should develop the risk management policy\n                 and the policy for risk identification, assessment, measurement, mitigating,\n                 monitoring, and reporting.\n\n\n                 Task 2 \xe2\x80\x93 Risk Identification\n                 Leveraging information gathered during stakeholder interviews in Task 1, the\n                 organization should develop a methodology to identify and categorize risks across\n                 the enterprise, measure the intensity of the elements that drive each risk, and assess\n                 the organization\xe2\x80\x99s exposure to these elements. The benefits achieved through this\n                 effort will provide the organization with a shared language about its risks,\n                 promoting a more risk-aware environment that is equipped to respond quickly if a\n                 problem occurs.\n\n                 Additionally, it is recommended that the Fraud Prevention Check-Up published by\n                 the ACFE be used as a tool for establishing a baseline in determining how well an\n                 organization understands its risk for fraud. The Fraud Prevention Check-Up is a\n                 survey that asks key questions related to fraud risk oversight, ownership, assessment,\n                 risk tolerance and management, anti-fraud controls, and fraud detection. The\n                 Fraud Prevention Check-Up is available on the ACFE\xe2\x80\x99s website at www.ACFE.com.\n\n\n                 Task 3 \xe2\x80\x93 Risk Prioritization and Evaluation\n                 The identification of risks leads to questions on how to best mitigate risks. The\n                 organization should identify possible responses and actions based on its\xe2\x80\x99 risk\n                 aversion appetite. The organization should first develop risk prioritization and\n                 evaluation policies, procedures, and business boundaries with clear objectives for\n                 enterprise risk management activities. These policies and procedures are guided\n                 by the risk aversion, or the extent to which management is willing to accept risk,\n                 which in risk evaluation is achieved by defining individual risk tolerance.\n\n\n\n\n68 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                Approaches for Conducting\n                                                                       Entity-Wide Fraud Risk Assessments\n\n\nTask 4 \xe2\x80\x93 Risk Management\nEffective risk management involves creating feasible corrective actions for control\ndeficiencies and gaps identified, as well as understanding findings in the broader\ncontext of the organization\xe2\x80\x99s strategic goals. The organization should concentrate\nfirst on developing responses to high-frequency, high-severity events by assisting\nmanagement with creating a risk response for factors that contribute to the\nrisk\xe2\x80\x99s occurrence, evaluating response benefits versus the long-term costs, and\ndefining quantifiable corrective actions that can be implemented and monitored.\n\n\nTask 5 \xe2\x80\x93 Risk Monitoring, Reviewing and Reporting\nThe organization\xe2\x80\x99s risk policy should contain clear objectives and guidance for\nrisk monitoring, review, and reporting linked to overall business strategies.\nIn addition, it should provide direction on communication of risks to senior\nmanagement, execution on risk mitigation decisions, and procedures for monitoring\nremediation activities and the identified risks. The following should be monitored\nand reported:\n\n        \xe2\x80\xa2\t key risk ratings or profiles that classify and describe all risks,\n\n        \xe2\x80\xa2\t key performance indicators that measure impact of risks on performance,\n\n        \xe2\x80\xa2\t risk   rates   and    modeling     to   measure      risk   concentration   and\n          interdependencies,\n\n        \xe2\x80\xa2\t top-level key risk indicators to provide an early signal of increasing\n          risk exposures, and\n\n        \xe2\x80\xa2\t testing and validation results (stress testing and control testing).\n\n\n\n\n                                                                                          DODIG-2014-094\xe2\x94\x82 69\n\x0cApproaches for Conducting\nEntity-Wide Fraud Risk Assessments\n\n\n                 Grant Thornton Fraud Risk Assessment Approach\n                 Grant Thornton\xe2\x80\x99s fraud risk assessment approach consists of three phases,\n                 summarized in Figure 29. It is important for DoD organizations to complete each\n                 step in the sequence in Figure 29 if they elect to use the Grant Thornton\n                 approach. Additionally, the approach can be modified to suit an organization\xe2\x80\x99s\n                 size, structure, and known fraud vulnerabilities.\n\n                 Figure 29. Grant Thornton Fraud Risk Assessment Phases\n\n\n                                              Phases of a Fraud Risk Assessment\n\n                      Phase I\n\n                      a.\t Understand the organization\n\n                      b.\t Identify occupational fraud risk factors\n\n                      c.\t Identify potential errors, accounts and/or balances, and/or disclosures that may\n                          be affected\n\n                      d.\t Identify potential fraud schemes and scenarios and note indications\n                          (i.e., \xe2\x80\x9cred flags\xe2\x80\x9d) for fraud risk and classify into \xe2\x80\x9cfraud triangle\xe2\x80\x9d categories:\n\n                          i.\t   Incentives/Pressures\n\n                          ii.\t Opportunities\n\n                          iii.\t Rationalizations\n\n                      e.\t Assess \xe2\x80\x9csignificance\xe2\x80\x9d or \xe2\x80\x9cmagnitude\xe2\x80\x9d of potential fraud risks\n\n                      f.\t Assess \xe2\x80\x9clikelihood\xe2\x80\x9d or \xe2\x80\x9cprobability\xe2\x80\x9d of fraud occurring\n\n                      g.\t Prioritize fraud risk \xe2\x80\x9cexposure\xe2\x80\x9d or \xe2\x80\x9cvulnerability\xe2\x80\x9d (i.e., combination of \xe2\x80\x9csignificance\xe2\x80\x9d\n                          and \xe2\x80\x9clikelihood\xe2\x80\x9d)\n\n                      h.\t Communicate findings\n\n\n\n\n70 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                    Approaches for Conducting\n                                                                           Entity-Wide Fraud Risk Assessments\n\n\n\n                    Phases of a Fraud Risk Assessment (cont\xe2\x80\x99d)\n\n  Phase II\n\n   a.\t Understand management\xe2\x80\x99s objectives related to fraud risk management, including\n      tolerance for acceptable residual fraud risks\n\n   b.\t Identify   anti-fraud    measures,     programs,      procedures,      policies   and\n      internal controls\n\n   c.\t Perform walk-throughs, as needed\n\n   d.\t Document as requested\n\n   e.\t Evaluate effectiveness of anti-fraud measures, programs, procedures,\n      policies and internal controls to mitigate prioritized fraud risks\n\n   f.\t Identify any \xe2\x80\x9cgaps\xe2\x80\x9d or weaknesses\n\n   g.\t Prepare recommendations for improvements\n\n   h.\t Communicate findings and recommendations\n\n  Phase III\n\n   a.\t Identify anti-fraud measures, programs, procedures, policies and internal controls\n      to be tested for compliance\n\n   b.\t Sample and test anti-fraud measures, programs, procedures, policies and\n      internal controls\n\n   c.\t Evaluate results\n\n   d.\t Identify any \xe2\x80\x9cgaps\xe2\x80\x9d or weaknesses\n\n   e.\t Prepare recommendations for improvements\n\n   f.\t Communicate findings and recommendations\n\n\n\nThe fraud risk assessment documentation will generally include written reports,\ndocumentation of procedures, recommendations, and proposed next steps. For\nan example client report and illustrative heat map of fraud risks, see Appendix G.\n\n\n\n\n                                                                                               DODIG-2014-094\xe2\x94\x82 71\n\x0cApproaches for Conducting\nEntity-Wide Fraud Risk Assessments\n\n\n                 Summary of Entity-Wide Approaches for Conducting\n                 Fraud Risk Assessments\n                 Table 9 summarizes the key attributes, similarities, and differences of the various\n                 fraud risk assessment approaches discussed within this section. As emphasized\n                 throughout this report, each of the suggested approaches can be modified to suit\n                 an organization\xe2\x80\x99s mission, size, or specific fraud vulnerabilities. DoD organizations\n                 are also encouraged to develop other approaches for performing fraud risk\n                 assessments using information presented within this report as a resource.\n\n                 Table 9. Summary of Entity-Wide Approaches for Conducting Fraud Risk Assessments\n\n                               Organization                             Fraud Risk Assessment Attributes\n                      DoD Investigative Agencies        \xe2\x80\xa2\t Brainstorming sessions help to identify fraud risks.\n                                                        \xe2\x80\xa2\t Review of current fraud trends and organization expenditures\n                                                           to identify high-risk areas.\n                                                        \xe2\x80\xa2\t For decentralized organizations, request input regarding\n                                                           specific trends occurring at various geographic areas.\n                                                        \xe2\x80\xa2\t Fraud efforts are focused on areas of high\n                                                           Congressional interest.\n                                                        \xe2\x80\xa2\t Assessment results are reported to investigative employees,\n                                                           senior management officials, and the Senior Executive Board.\n                      Navy Exchange Service             \xe2\x80\xa2\t Use of CSAs to identify gaps in internal controls and potential\n                      Command                              fraud risks and vulnerabilities.\n                                                        \xe2\x80\xa2\t Fraud awareness training is provided to stimulate discussions\n                                                           with employees and educate them about the CSA process\n                                                           and goals.\n                                                        \xe2\x80\xa2\t CSA results are reported to management.\n                      Naval Sea Systems Command         \xe2\x80\xa2\t Facilitate discussions with employees to identify fraud risks.\n                                                        \xe2\x80\xa2\t Fraud awareness training is provided during\n                                                           employee discussions.\n                                                        \xe2\x80\xa2\t Report of results prepared for management.\n                      Institute of Internal Auditors,   \xe2\x80\xa2\t Fraud risk assessment template used to identify and rank fraud\n                      American Institute of                risks.\n                      Certified Public Accountants,     \xe2\x80\xa2\t Emphasize participation of subject matter experts in the fraud\n                      Association of Certified             risk assessment process.\n                      Fraud Examiners\n                      Australian National               \xe2\x80\xa2\t Require the organization to involve relevant employees at all\n                      Audit Office                         levels to participate in the fraud risk assessment process.\n                                                        \xe2\x80\xa2\t Emphasize the importance of documenting and assigning\n                                                           ownership of fraud risks and controls.\n                                                        \xe2\x80\xa2\t Require documentation of the assessment results.\n                      Association of American           \xe2\x80\xa2\t Online employee surveys encourage anonymous reporting of\n                      Medical Colleges                     potential fraud risks or suspect activities.\n                                                        \xe2\x80\xa2\t Interviews with managers and employees help to quantify\n                                                           fraud risks.\n                                                        \xe2\x80\xa2\t Fraud awareness training is conducted during\n                                                           employee interviews.\n\n\n\n72 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                           Approaches for Conducting\n                                                                  Entity-Wide Fraud Risk Assessments\n\n\n         Organization                   Fraud Risk Assessment Attributes\nSmart Insights, LLC     \xe2\x80\xa2\t Internal Fraud Risk Assessment Questionnaires are used\n                           to identify gaps in an organization\xe2\x80\x99s anti-fraud program\n                           and processes.\nTexas Tech              \xe2\x80\xa2\t Electronic polling software is used to identify high-risk\n                           areas. The approach permits employees to rate fraud risks\n                           anonymously.\n                        \xe2\x80\xa2\t A Glossary of Fraud Schemes is developed to provide\n                           employee fraud awareness training during the fraud risk\n                           assessment process.\n                        \xe2\x80\xa2\t Heat Maps are prepared to illustrate assessment results\n                           to management.\n                        \xe2\x80\xa2\t Report of fraud risk assessment results is prepared\n                           for management.\nGrant Thornton          \xe2\x80\xa2\t Fraud risk assessments are considered a component of\n                           enterprise risk management.\n                        \xe2\x80\xa2\t Three-phase approach for conducting fraud risk assessments.\n                           Phase one emphasizes identifying fraud schemes and\n                           indicators. Phase two focuses on identifying weaknesses and\n                           reporting the results to management. Phase three consists of\n                           making recommendations for improvements.\n\n\n\n\n                                                                                          DODIG-2014-094\xe2\x94\x82 73\n\x0cSummary of DoD and External\nOrganizations\xe2\x80\x99 Fraud Initiatives\n\n\n\n                 Summary of DoD and External Organizations\xe2\x80\x99\n                 Fraud Initiatives\n                 DoD Entities and External Organizations\xe2\x80\x99 Fraud Risk\n                 Assessment Approaches, Fraud Awareness Training,\n                 and Internal Control Evaluations\n                 We interviewed 82 subject matter experts from 33 DoD organizations. External\n                 participants   represented   both   public   and   private   entities   and   consisted\n                 of 18 subject matter experts from 12 organizations. During our review, we identified\n                 effective approaches for conducting audit and entity-wide fraud risk assessments,\n                 fraud awareness training activities, and internal control evaluations. We used\n                 documentation obtained from subject matter experts at Naval Audit Service;\n                 DoD OIG, Office of the Deputy Inspector General for Audit; AICPA; Smart Insights\n                 Group, LLC; Navy Bureau of Medicine and Surgery; Grant Thornton; NAVSEA; Council\n                 of the Inspectors General on Integrity and Efficiency, Training Institute (CIGIE);\n                 and the Australian National Audit Office to develop example documents included\n                 in Appendixes B through J.\n\n                 During our interviews with DoD and external subject matter experts, we identified\n                 numerous innovative approaches for conducting fraud risk assessments. Of the\n                 33 DoD organizations we interviewed, 13 were conducting entity-wide risk\n                 assessments, 26 were conducting fraud risk assessments when performing\n                 audit-related work, 23 were providing fraud awareness training, and 3 were\n                 concentrating on internal control evaluations. Table 10 indicates the focus of\n                 each participating DoD organization.\n\n\n\n\n74 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                    Summary of DoD and External\n                                                                                   Organizations\xe2\x80\x99 Fraud Initiatives\n\n\nTable 10. Focus Areas of DoD Organizations\n                                                                    Fraud               Internal\n                                               Fraud Risk\n            DoD Organization                                      Awareness             Control\n                                              Assessment           Training           Evaluations\nDepartment of Defense\n Army and Air Force Exchange Service,              X                   X\n Audit Division\n Defense Commissary Agency, OIG,                   X\n Audit Division\n Defense Contract Management Agency,               X*                  X\n Contract Integrity Center\n Defense Contract Management Agency,               X\n Internal Review\n Defense Information Systems Agency,               X\n OIG, Audit\n Defense Information Systems Agency,               X*                  X\n OIG, Investigations\n Defense Logistics Agency, OIG,                    X\n Audit Division\n Defense Logistics Agency, OIG,                    X*                  X\n Investigations Division\n Defense Logistics Agency, Office of               X*,\xe2\x80\xa0\n General Counsel\n DoD OIG, Office of the Deputy Inspector           X                   X\n General for Audit\n DoD OIG, Defense Criminal                         X*                  X\n Investigative Service\nDoD OIG, Office of General Counsel                                     X\n DoD OIG, Office of the Deputy Inspector                               X\n General for Policy and Oversight\nMissile Defense Agency, Internal Review            X\n Missile Defense Agency, Managers\xe2\x80\x99                                                         X\n Internal Control Program\n Missile Defense Agency, Quality, Safety,          X*,\xe2\x80\xa0                X\n and Mission Assurance\n National Geospatial Agency-Intelligence,          X*                  X\n OIG, Investigations\n Office of the Undersecretary of Defense,\n Comptroller, Financial Improvement and                                                    X\n Audit Readiness Division\n\t *\tThe organization is performing entity-wide fraud risk assessments. Organizations that do\n    not have a notation indicated that they are performing fraud risk assessments during audits,\n    evaluations, or internal reviews.\n\t \xe2\x80\xa0\tMember of the DoD Counterfeit Parts Working Group.\n\t \xe2\x80\xa1\tRepresentatives from these organizations provided information about the DoD Procurement\n    Fraud Working Group\xe2\x80\x99s activities.\n\n\n\n\n                                                                                                    DODIG-2014-094\xe2\x94\x82 75\n\x0cSummary of DoD and External\nOrganizations\xe2\x80\x99 Fraud Initiatives\n\n\n                                                                                       Fraud               Internal\n                                                                    Fraud Risk\n                                  DoD Organization                                   Awareness             Control\n                                                                   Assessment         Training           Evaluations\n                      Department of Defense (cont\xe2\x80\x99d)\n                      Office of the Undersecretary of\n                      Defense, Acquisition, Technology, and                               X\n                      Logistics, Defense Procurement &\n                      Acquisition Policy \xe2\x80\xa1\n                      Tricare Management Activity, Program             X*                 X\n                      Integrity Office\n                      Department of the Army\n                      Army Audit Agency                                X                   X\n\n                      Army Criminal Investigation Command              X*                  X\n                      Department of the Navy\n                      OIG Marine Corps                                 X\n                      Marine Corps Nonappropriated Funds               X                  X\n                      Audit Service\n                      Marine Corps Risk and Compliance                                                         X\n                      Naval Audit Service                              X                   X\n                      Naval Criminal Investigative Service             X*                  X\n                      Navy Exchange Command, Office of                 X                  X\n                      Internal Audit\n                      Naval Sea Systems Command, OIG                   X*                  X                   X\n                      Risk Management and                              X*                 X\n                      Compliance Branch\n                      Department of the Air Force\n                      Air Force Audit Agency                           X                   X\n                      Air Force Office of General Counsel \xe2\x80\xa1                                X\n                      Air Force Office of Special Investigations       X*                  X\n                  \t *\tThe organization is performing entity-wide fraud risk assessments. Organizations that do not have\n                      a notation indicated that they are performing fraud risk assessments during audits, evaluations, or\n                      internal reviews.\n                  \t \xe2\x80\xa0\tMember of the DoD Counterfeit Parts Working Group.\n                  \t \xe2\x80\xa1\tRepresentatives from these organizations provided information about the DoD Procurement Fraud\n                      Working Group\xe2\x80\x99s activities.\n\n\n\n\n76 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                            Summary of DoD and External\n                                                                           Organizations\xe2\x80\x99 Fraud Initiatives\n\n\nDepartment of Defense\nArmy and Air Force Exchange Service Audit Division. Seventy-five percent of\nthe staff members are Certified Fraud Examiners. All new hires are required to\nattend the ACFE test preparation course. The Audit Division invites employees from\nother AAFES disciplines to participate in the test preparation classes to include\nLoss Prevention, OIG, Finance Department, and buyers for stores. This approach\nhelps to educate people throughout the organization about fraud. The Audit\nDivision also developed a fraud risk assessment template. When performing\ntheir work, auditors are required to consider internal controls, fraud risks, and\napproaches to evaluate the effectiveness of the controls. Staff members conduct\ninternal control audits at exchange stores, focusing on key control areas, such as\nover refunds, receipts, and damaged and defective goods. The Audit Division\nprovides recommendations to management on ways to improve existing controls\nand store operations.\n\nDefense Commissary Agency OIG, Audit Division. All audit staff participate\nin fraud brainstorming sessions. During the meetings, team members use a\nwhiteboard to visually map the process they are auditing. A template was\ndeveloped that requires auditors to evaluate the control risks, fraud indicators,\npotential   for   control   overrides,   control   effectiveness,   and   impact   on   the\norganization. The Defense Commissary Agency developed the \xe2\x80\x9cFront End Audit\nWorksheet Information Guide\xe2\x80\x9d to assist senior managers\xe2\x80\x99 efforts to assess\nsuspect financial transactions such as refunds, suspended transactions, or coupon\nmisuse. The Audit Division provided examples of fraud indicators that were\nincluded in the Guide. In June 2012, the Director, Defense Commissary Agency,\nsent a memorandum to all employees emphasizing the importance of fraud\nprevention and discussed the role of the OIG in preventing and detecting fraud within\nthe organization.\n\nDefense Contract Management Agency, Contract Integrity Center. In 2007,\nthe organization developed its first Strategic Plan for FY 2007-2012; the plan\nwas most recently revised in July 2009. The purpose of the project was to identify\nfraud vulnerabilities and educate senior Defense Contract Management Agency\nleadership about the mission of the organization. This project was led by the\nDirector, Contract Integrity Center, and participants included teams of attorneys\nworking at various locations throughout the United States. The process started\nby examining the entity\xe2\x80\x99s fraud cases and assigning risk rankings of low, medium,\n\n\n\n\n                                                                                          DODIG-2014-094\xe2\x94\x82 77\n\x0cSummary of DoD and External\nOrganizations\xe2\x80\x99 Fraud Initiatives\n\n\n                 or high. The Director, Contract Integrity Center, then led discussions with smaller\n                 groups      of   attorneys   and   posed     the   question;     \xe2\x80\x9cFraud     Happens,    Why?\xe2\x80\x9d\n                 Brainstorming sessions were used to identify the organization\xe2\x80\x99s highest fraud\n                 risk activities and red, yellow, or green scores were assigned to each area. Next,\n                 high-risk    areas   received   subsequent     rankings   such     as     high-risk/high-value,\n                 medium-high risk, and medium high-value. This information was used to develop\n                 the Contract Integrity Center Strategic Plan Goals, which included improving the\n                 capability of the entity\xe2\x80\x99s workforce to identify, report, and remediate fraud.\n\n                 The organization also created a multifaceted fraud awareness training program. One of\n                 the more innovative training approaches are the on-line fraud training videos, similar\n                 to television soap operas, with cliffhangers at the close of each segment. Other web-\n                 based fraud resources include \xe2\x80\x9cFocus on Fraud\xe2\x80\x9d newsletters, fraud brochures, and\n                 fraud indicators and trends.\n\n                 Defense Contract Management Agency, Internal Review. The Defense Contract\n                 Management Agency\xe2\x80\x99s Audit Manual requires auditors to be continuously alert to\n                 fraud when conducting their work and also includes information about fraud\n                 indicators. The Audit Team Leader coordinates discussions about fraud risk.\n                 The discussions are documented in the project files. All staff members participate\n                 in the Defense Contract Management Agency fraud training.\n\n                 Defense Information Systems Agency, OIG, Audit. Auditors assess the potential\n                 for fraud, waste, and abuse when developing the annual audit plan. Areas considered\n                 include the amount of time since the last assessment; vulnerability to fraud, waste,\n                 and abuse; and external concerns. The team assigns scores to potential audit\n                 topics using the OIG Risk Assessment Tool. To evaluate the potential for fraud,\n                 auditors use risk rankings from high to low. Attributes of high-risk scores include\n                 assets that are easily converted to cash, high cost materials, and high potential for\n                 personal misuse. Information captured in the OIG Risk Assessment Tool is shared\n                 with audit staff to assist with audit planning.\n\n                 Defense Information Systems Agency, OIG, Investigations. The organization\n                 conducted an entity-wide fraud risk assessment to develop a fraud awareness\n                 training program for Defense Information Systems Agency employees. Methods\n                 to identify fraud risks included an analysis of internal fraud trends, reviews of\n                 ongoing and previous fraud cases, and ACFE reports. Investigations staff also met\n\n\n\n\n78 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                        Summary of DoD and External\n                                                                                       Organizations\xe2\x80\x99 Fraud Initiatives\n\n\nwith more than 20 DoD and external organizations to obtain information about\nfraud training methods. A fraud awareness training video was developed,\nemphasizing procurement fraud. The video is continuously played throughout\nthe entity\xe2\x80\x99s Headquarters, and at least 7,000 employees have seen the\ntraining. Investigators also conduct Fraud Awareness Briefings. Using video\nteleconference capabilities, briefing attendance ranges from twenty employees\nto six hundred. OIG Hotline submissions significantly increased with the\norganization\xe2\x80\x99s renewed emphasis on fraud awareness.\n\nDefense Logistics Agency OIG, Audit Division. The Audit Division consists of\na blend of staff members with diverse audit experiences that include other DoD\naudit organizations, private industry, and public accounting. As a result, fraud\nbrainstorming sessions are enhanced through the team\xe2\x80\x99s collective knowledge and\nprior work experiences. Some offices prepare read-ahead briefing materials to\nencourage team members to think about fraud schemes and indicators before\nthe brainstorming sessions and less senior auditors are required to review the\nDoD OIG Fraud Webpage27 to enhance their fraud awareness. Types of information\nincluded in the pre-meeting briefing materials are the Defense Logistics Agency\nManagement Internal Control Program, Statement of Assurance, AICPA and GAGAS\nguidance, and relevant ACFE fraud indicators. To promote discussion, members\nare encouraged to share their ideas, and an open forum approach is established.\nA fraud risk assessment template is used to summarize topics discussed during\nthe brainstorming session and record ideas about potential fraud.\n\nDefense           Logistics      Agency        OIG,     Investigations   Division.   The   organization\nprepares an Annual Crime Vulnerability Assessment Plan. The plan\xe2\x80\x99s development\nbegins with an informal meeting with Investigations senior management to\ndiscuss fraud indicators and trends. Risk rankings of high, medium, or low are\nassigned to each fraud category. The assessment results are shared with the\nDefense Logistics Agency Director, Senior Executive Board, and Investigations staff\nas a method to communicate priorities for the upcoming year. Investigations\nworks closely with OIG Audit Division when performing their work. The ongoing\npartnership between the OIG components contributes to their success at detecting\nand preventing fraud.\n\n\n\n\n\t 27\t\n        www.dodOIG.mil/resources/fraud/fraud_defined.html\n\n\n\n\n                                                                                                      DODIG-2014-094\xe2\x94\x82 79\n\x0cSummary of DoD and External\nOrganizations\xe2\x80\x99 Fraud Initiatives\n\n\n                 Defense Logistics Agency, Office of General Counsel. The Office of General Counsel\n                 is an active member in the Counterfeit Parts Working Group.28 Members include\n                 representatives from various DoD organizations and other Federal agencies such as\n                 Customs and Border Protection. Price, item, and supply are identified as significant\n                 fraud risks for counterfeit parts.                         DoD works with external vendors to develop\n                 statistical models to identify high risk areas and suppliers. The Defense Logistics\n                 Agency anti-fraud program has been in place for more than 20 years and includes\n                 on-line mandatory counterfeit parts training for all employees.\n\n                 DoD OIG, Office of the Deputy Inspector General for Audit. The organization\n                 developed a predictive analytics pilot program using advanced data mining\n                 techniques. Program benefits included:\n\n                                 \xe2\x80\xa2\t increased internal and external collaboration and transparency,\n\n                                 \xe2\x80\xa2\t expanded accessibility and controls,\n\n                                 \xe2\x80\xa2\t verified audit and investigation outcomes, and\n\n                                 \xe2\x80\xa2\t consistent methodology and analysis techniques.\n\n                 Planned focus areas were targeted at detecting fraud indicators in contracting,\n                 travel, and purchase card programs. Pilot participants included representatives\n                 from numerous DoD OIG components such as Audit, Defense Criminal Investigative\n                 Service, Information Systems Directorate, Hotline, and Office of General Counsel.\n\n                 DoD OIG, Defense Criminal Investigative Service. This organization is the\n                 primary investigative arm of the DoD OIG and focuses its efforts on criminal/civil\n                 investigations involving the following areas: (1) procurement fraud and public\n                 corruption; (2) product substitution; (3) health care fraud; (4) illegal technology\n                 transfers, and (5) computer crime. From October 1, 2012 through March 31, 2013,\n                 the Defense Criminal Investigative Service investigations resulted in criminal fines,\n                 penalties, restitutions, and forfeitures totaling $717.8 million. Defense Criminal\n                 Investigative Service representatives also participate as members of the National\n                 Intellectual Property Rights Center.\n\n\n\n\n                 \t 28\t\n                         The mission of the Counterfeit Parts Working Group is to detect and mitigate the risk of counterfeit parts within the\n                         DoD supply chain.\n\n\n\n\n80 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                Summary of DoD and External\n                                                                               Organizations\xe2\x80\x99 Fraud Initiatives\n\n\nDoD OIG, Office of the Deputy Inspector General for Policy and Oversight.\nThe Investigative Policy and Oversight component was designated as the component\nresponsible for receiving contractor disclosures in 2008. The Contractor Disclosure\nProgram supports DoD\xe2\x80\x99s efforts to minimize the impact of fraud and criminal\nmisconduct in areas such as counterfeit parts and materials, product substitution,\nand labor mischarging by:\n\n        \xe2\x80\xa2\t affording contractors a means of reporting certain violations of\n              criminal law and violations of the civil False Claims Act and\n              suspected counterfeit/nonconforming parts discovered during self-\n              policing activities;\n\n        \xe2\x80\xa2\t providing a framework for government verification of matters disclosed; and\n\n        \xe2\x80\xa2\t providing an additional means for a coordinated evaluation of\n              administrative, civil, and criminal actions appropriate to the situation.\n\nDuring FY 2012 and 2013, 451 disclosures were received.\n\nDoD OIG, Office of General Counsel. The organization supports the Defense\nCriminal Investigative Services\xe2\x80\x99 fraud investigative mission. Additionally, attorneys\nserve as liaison between DoD law enforcement agencies and fraud counsel at other\nDoD organizations including the Army and the Defense Logistics Agency. Staff\nmembers teach a variety of topics at the Defense Investigative Services\xe2\x80\x99 Special Agent\nBasic Training such as ethics, Freedom of Information Act, and subpoenas.\nThe organization also played a role in developing suspension and debarment training\nfor DoD law enforcement personnel.\n\nDoD Procurement Fraud Working Group. The DoD Procurement Fraud Working\nGroup is an ad hoc group composed of more than 30 members from various\nDoD organizations including; the four Defense Criminal Investigative Organizations,\nthe   three     military   service      audit   organizations,   the   four\xc2\xa0 DoD\xc2\xa0 Suspension\nand Debarment offices, the Defense Contract Management Agency, Office of the\nUnder Secretary of Defense for Acquisition, Technology, and Logistics, and the\nDefense Contract Management Agency. In addition, representatives from the\nfollowing non-DoD entities attend, Central Intelligence Agency, OIG, National\nAeronautics      and    Space        Administration,   OIG,   Intelligence   Community     OIG,\nDepartment of Justice \xe2\x80\x93 Criminal Division and Civil Division, and the U.S. Coast\nGuard. Monthly meeting focus on a wide range of procurement related topics,\nincluding proposed/new legislation, as well as emerging fraud trends. Until the\n\n\n\n\n                                                                                              DODIG-2014-094\xe2\x94\x82 81\n\x0cSummary of DoD and External\nOrganizations\xe2\x80\x99 Fraud Initiatives\n\n\n                 recent budgetary crisis, the Group had hosted an annual, week long fraud seminar\n                 that routinely attracted between 150 and 200 attendees that included detailed\n                 discussions of fraud and risk assessment related topics.\n\n                 Missile Defense Agency, Mangers\xe2\x80\x99 Internal Control Program. The Accounting\n                 Division oversees the Managers\xe2\x80\x99 Internal Control Program. A Risk/Control\n                 Assessment     Template     is   designed     to   assist   manager\xe2\x80\x99s    evaluation   and\n                 documentation of inherent risks and controls to mitigate the risks. The risk review\n                 also includes an assessment of fraud risks. The Missile Defense Agency contracted\n                 with an external vendor and developed online training to educate employees about\n                 risks, controls, and the Template.\n\n                 Missile Defense Agency, Internal Review. Eighty percent of the auditors are\n                 Certified Fraud Examiners and hold certificates of forensic accounting. Staff\n                 holding Certified Fraud Examiner designations are required to receive annual\n                 fraud training to maintain their certifications. When Internal Review initiates\n                 an audit, team leads review Government Accountability Office, DoD OIG, and other\n                 Federal Office of Inspectors General reports to identify any fraudulent activity\n                 pertaining to the audit topic. Team leads are responsible for reviewing Missile\n                 Defense Agency Hotline inquiries and discussing case backgrounds with Internal\n                 Review senior management during audit planning.             When instances of fraud or\n                 potential fraud are identified, auditors document the information in the project files.\n                 All audit programs contain specific steps to test for potential fraud.\n\n                 Missile Defense Agency, Quality, Safety, and Mission Assurance. For counterfeit\n                 parts, engineers conduct risk assessments in the form of on-site reviews. Recently,\n                 10 Missile Defense Agency contractors and 3 electronic parts distributors were\n                 evaluated for counterfeit risk.      For on-site assessments of contractors, a detailed\n                 checklist is used to score the contractor\xe2\x80\x99s ability to avoid, detect, contain, and\n                 report counterfeit parts and train personnel. Industry best practices were used\n                 to develop the checklist categories that included procedures for supplier approval\n                 and selection. Answers to checklist questions help the Missile Defense Agency\n                 determine the risk of exposure of the agency to counterfeit parts.           The Missile\n                 Defense Agency developed counterfeit parts training based upon the results of the\n                 assessments and meetings with stakeholders to identify vulnerabilities. The training\n                 includes information about the critical impact of counterfeit parts, counterfeit part\n                 types, procedures to detect and report suspect irregularities, and Missile Defense\n                 Agency and DoD requirements and expectations. .\n\n\n\n\n82 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                    Summary of DoD and External\n                                                                   Organizations\xe2\x80\x99 Fraud Initiatives\n\n\nNational Geospatial Agency-Intelligence, OIG, Investigations. The Forensic\nAnalysis Support Team completes an annual risk assessment that emphasizes\nthe identification of fraud risks. The risk ranking approach begins with a team\nbrainstorming session designed to generate ideas about vulnerabilities within the\norganization. Identified topics are ranked using the following criteria: potential\ndollars recovered, project completion time, and impact on fraud deterrence.\nProposed projects are assigned a numeric ranking ranging from a high of five to a\nlow of one. A weighted score is then assigned to each proposed project. The results\nof the fraud risk assessment are used to identify forensic audit projects for the\nupcoming year.\n\nOffice of the Undersecretary of Defense, Comptroller, Financial Improvement\nand Audit Readiness Division. The organization focuses on preparing DoD\nentities for financial audits of the Statement of Budgetary Resources. As part of\nthis effort, personnel make site visits to DoD entities to educate nonfinancial\nemployees about the importance of internal controls. Another area emphasized is\nensuring that employees document internal control verifications to assist with\naudit preparedness.\n\nTricare Management Activity, Program Integrity Office. The organization is\nresponsible for all worldwide anti-fraud activities for the Defense Health Program.\nAbout 100 contractor and government subject matter experts including healthcare,\ndata analytics, and investigative representatives work to identify fraud schemes\nand trends. These proactive activities generate numerous referrals to law\nenforcement agencies. The organization publishes a newsletter for contractors\nto promote early identification of fraud schemes and minimize the loss of\ngovernment dollars.   Recognizing the importance of sharing information with the\nDoD investigative community, Program Integrity Office representatives attend\nand present information at task force meetings and healthcare fraud information\nsharing meetings. These meetings foster collaborative anti-fraud efforts across\nGovernment agencies and private organizations.\n\n\n\n\n                                                                                  DODIG-2014-094\xe2\x94\x82 83\n\x0cSummary of DoD and External\nOrganizations\xe2\x80\x99 Fraud Initiatives\n\n\n                 Department of the Army\n                 Army    Audit     Agency.   The   audit   organization     updated   the   Detecting   and\n                 Investigating Fraud Course to include training for auditors on conducting fraud\n                 risk assessments. The assessment methodology consists of the following steps:\n\n                         \xe2\x80\xa2\t Determining relevant fraud risks within the context of audit objectives,\n\n                         \xe2\x80\xa2\t Assessing the fraud risk environment,\n\n                         \xe2\x80\xa2\t Identifying potential fraud schemes and methods to prioritize based\n                            on risk,\n\n                         \xe2\x80\xa2\t Mapping existing controls to potential fraud schemes and testing\n                            controls, and\n\n                         \xe2\x80\xa2\t Testing for fraud.\n\n                 Additional training topics include approaches for working with DoD investigators\n                 and prosecutors, and fraud detection tools for auditors.\n\n                 Army Criminal Investigation Command. As part of their training and education\n                 efforts, all Army Criminal Investigation Command offices conduct fraud awareness\n                 briefings. In FY 2011 and 2012 a total of 665 briefings were completed.\n                 The organization recently produced its first anti-fraud commercial, which aired on\n                 both the Pentagon Channel and the American Forces Network. \xe2\x80\x85For about 25 years,\n                 all 32 Army Criminal Investigations Command offices, including Germany, Korea,\n                 and Southwest Asia coordinated annual economic crime threat assessments.\n                 These assessments help each office develop approaches to target fraud and also\n                 identify high risks for specific geographic areas. Other stakeholders participating\n                 in the assessments include AAA, Army Internal Review, and Army Office of Security.\n                 Army Criminal Investigative Command Headquarters and field offices worked\n                 closely with AAA on numerous Southwest Asia anti-fraud efforts.\n\n\n                 Department of the Navy\n                 Inspector General of the Marine Corps. The purpose of the Risk and\n                 Opportunity Assessment is to provide the Marine Corps\xe2\x80\x99 input to the Navy\n                 Oversight Planning Board. The Board identifies and develops major risk categories\n                 within the Department of the Navy. The overarching risks are the susceptibility to\n                 fraud, waste, abuse, inefficiency, mismanagement, and statutory and regulatory\n\n\n\n\n84 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                               Summary of DoD and External\n                                                                              Organizations\xe2\x80\x99 Fraud Initiatives\n\n\nnoncompliance. Direction for the assessment is provided by the Naval Audit\nService and Naval OIG. The IG of the Marine Corps\xe2\x80\x99 input is based on the input\nof subordinate units. The organization also performs assessments of Marine\nCorps activities with multidisciplinary teams including representatives from the\nReadiness Division, IG of the Marine Corps, Counsel\xe2\x80\x99s Office, and Naval Audit Service.\n\nMarine    Corps    Nonappropriated       Funds      Audit    Service.   The    organization\xe2\x80\x99s\nauditors remain current on fraud trends through office subscriptions to ACFE,\nAICPA, and IIA publications. Auditors have access to software that allows them\nto view cashier activity and identify fraud indicators such as unusual refunds\nor purchases. Detailed fraud risk assessments, which include analysis of prior\naudit results, interviews with management, and internal control evaluations are\nperformed    during    all   audit   engagements.    Audit    Directors   from     MCNAFAS,\nAAFES, and NEXCOM meet annually to discuss emerging fraud trends and\nsignificant events occurring within their organizations.\n\nMarine Corps Risk and Compliance. The effectiveness of the Marine Corps\nManagers\xe2\x80\x99 Internal Control Program contributes to its success at audit\npreparedness. The Program requires resources to be used in compliance\nwith laws and regulations, and with minimal potential for waste, fraud, and\nmismanagement.        Effective   internal   controls   provide    reasonable      assurance\nthat significant weaknesses in the design of program processes or inherent\nprogram weakness can be prevented or detected in a timely manner.\n\nNaval Audit Service. Approximately 10 years ago, the Auditor General, Naval\nAudit Service, created the Internal Control, Contracting, and Investigative Audits\nDivision. This team was established to blend the unique skills of the Naval\nAudit Service and Naval Criminal Investigative Service to deter, detect, and prevent\nfraud within the Department of the Navy. The Naval Audit Service devotes about\n20 percent of its resources to support Naval Criminal Investigative Service\nInvestigations annually.\n\nThe fraud risk assessment approach consists of brainstorming sessions and reviews\nof the internal control framework. Auditors identify internal control weaknesses to\ndetermine whether controls are in place to detect or prevent fraud. When a team\xe2\x80\x99s\nbrainstorming session indicates that the potential for fraud is significant, they\nobtain additional technical guidance from the Assistant Auditor General, Internal\nControl, Contracting, and Investigative Support Audits Division. Auditors and\n\n\n\n\n                                                                                             DODIG-2014-094\xe2\x94\x82 85\n\x0cSummary of DoD and External\nOrganizations\xe2\x80\x99 Fraud Initiatives\n\n\n                 Executive Assistants are required to complete a Fraud Risk Assessment Checklist\n                 for all audits. This checklist is designed to ensure that auditors consider fraud\n                 risks and documented the results of their work during each engagement.\n\n                 Naval Criminal Investigative Service. During FY 2011 and 2012, the Naval\n                 Criminal Investigative Service provided fraud awareness briefings to more than\n                 42,000 individuals. Within the past year and a half, the organization developed\n                 its Text a Tip program. This program enables people to submit anonymous fraud\n                 tips through text messaging. Tipsters submit information to a service provider,\n                 which then forwards the text message to a Naval Criminal Investigative Service\n                 representative. The technology enables tipsters to communicate directly with the\n                 law enforcement agency, in real time, without revealing their identities. The entity\xe2\x80\x99s\n                 approach to assessing fraud risk is broadly based on information received from\n                 personnel at contiguous United States and overseas locations.\n\n                 Naval Sea Systems Command. NAVSEA OIG\xe2\x80\x99s entity-wide fraud program is based\n                 on guidance developed by the ACFE. The integrated approach consists of\n                 policies, oversight, training, and execution. The following topics are emphasized\n                 in the NAVSEA OIG anti-fraud acquisition program:\n\n                         \xe2\x80\xa2\t Code of Ethics\n\n                         \xe2\x80\xa2\t Fraud Prevention Policies\n\n                         \xe2\x80\xa2\t Communication and Training\n\n                         \xe2\x80\xa2\t Fraud Risk Assessment\n\n                         \xe2\x80\xa2\t Controls Monitoring\n\n                         \xe2\x80\xa2\t Fraud Response Team\n\n                 Representatives from the Contract Fraud Risk Assessment and Mitigation Branch\n                 facilitate fraud risk assessments at local commands. During the meetings, contract\n                 processes, internal control weaknesses, and fraud schemes are identified through\n                 discussions with process owners. The fraud risk assessments help to educate\n                 participants about fraud risk and increase their awareness of fraud. Reports\n                 documenting the identified vulnerabilities are sent to each command.\n\n\n\n\n86 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                             Summary of DoD and External\n                                                                            Organizations\xe2\x80\x99 Fraud Initiatives\n\n\nNavy Exchange Service Command. Within the past 4 years, the Office of Internal\nAudit has facilitated about 30 CSAs at contiguous United States and overseas\nlocations.   CSAs help to identify fraud risks, vulnerabilities, and opportunities to\nimprove existing controls. During the assessments, the following goals are achieved:\n\n         \xe2\x80\xa2\t identify management\xe2\x80\x99s objectives,\n\n         \xe2\x80\xa2\t brainstorm risks to include discussions about what could go wrong,\n\n         \xe2\x80\xa2\t map processes and controls in place to reduce risks and identify gaps,\n\n         \xe2\x80\xa2\t assess risk,\n\n         \xe2\x80\xa2\t formulate risk rankings, and\n\n         \xe2\x80\xa2\t identify potential solutions to identified vulnerabilities.\n\nThe CSA process helps in mitigating the risk of potential fraud and educates\nemployees about the importance of internal controls.\n\nNavy Risk Management and Compliance Branch. As required by the DoD\nManagers\xe2\x80\x99 Internal Control Program, the Risk Management and Compliance Branch\nfacilitates a fraud risk assessment of the Navy\xe2\x80\x99s Statement of Budgetary Resources.\nParticipants consist of employees from diverse disciplines with a wide range of\nknowledge about Navy operations. A top-down approach, consisting of both\nqualitative and quantitative measures, is used to identify fraud vulnerabilities.\nBrainstorming sessions are conducted to discuss business operations, internal\ncontrol vulnerabilities, and potential fraud schemes. A risk scoring model is used\nto evaluate the likelihood of potential fraud and develop approaches for internal\ncontrol testing. The Risk and Compliance Branch conducts about 10 fraud risk\nbriefings annually. Fraud briefings are tailored to address each business unit\xe2\x80\x99s\nunique   fraud   vulnerabilities.   The    Department     of   the   Navy   developed    the\nCommander\xe2\x80\x99s Checklist for Audit Readiness to assist with educating employees\nabout the importance of internal controls in mitigating fraud.\n\n\n\n\n                                                                                           DODIG-2014-094\xe2\x94\x82 87\n\x0cSummary of DoD and External\nOrganizations\xe2\x80\x99 Fraud Initiatives\n\n\n                 Department of the Air Force\n                 Air Force Audit Agency. Air Force Audit Agency developed a 2-hour, internet-based\n                 fraud risk assessment training course.                               The course is accessible on Defense\n                 Connect Online.29 The course includes information for auditors about requirements\n                 for conducting and documenting fraud risk assessments.                                       Air Force Audit Agency\n                 also provides staff fraud training to include guidance on ways to support Air Force\n                 Office of Special Investigations during an investigation.\n\n                 Air Force Office of Special Investigations. Air Force Office of Special\n                 Investigations            completed           an     entity-wide          threat       assessment          during        2013.\n                 A       second        assessment          will     be     conducted         during        2014.\xe2\x80\x87\xe2\x80\x87The           purpose        of\n                 the        assessment           was      to      provide       senior        management            information           about\n                 vulnerabilities and risks to the organization.\xe2\x80\x87\xe2\x80\x87Areas analyzed during the review\n                 were a 5-year trend analysis of fraud cases, identification of all program offices and\n                 their related products, consideration of schemes that could potentially threaten\n                 a program, and total expenditures for each program.\xe2\x80\x87\xe2\x80\x87In the future, other DoD\n                 organizations with differing areas of expertise will be invited to participate in the\n                 threat assessment.\xe2\x80\x87\xe2\x80\x87The organization is developing an on line fraud training course,\n                 which will be a mandatory requirement for all employees.\xe2\x80\x87\xe2\x80\x87Additionally, the\n                 Air Force Office of Special Investigations has historically conducted regional\n                 economic crime threat assessments, and has developed strong partnerships\n                 with both the Air Force acquisition community and legal community.\xe2\x80\x87\xe2\x80\x87The Air\n                 Force acquisition, legal, and law enforcement components have worked together\n                 to provide fraud training for acquisition officers.\n\n                 At Joint Base Elmendorf, Richardson, Alaska, the Air Force Office of Special\n                 Investigations, implemented the Fraud Installation Working Group. Participating\n                 members include law enforcement representatives, Air Force Audit Agency,\n                 Air Force OIG, attorneys, nonappropriated fund accountants, contracting officials,\n                 and representatives from AAFES and the Defense Commissary Agency. The group\n                 holds quarterly meetings to discuss emerging fraud trends at contiguous\n                 United States and overseas locations. Brainstorming sessions are conducted to\n                 generate ideas about where and how fraud could occur at the Base.\xe2\x80\x87\xe2\x80\x87Similar\n                 working groups are also active at                          other locations within the United States and\n                 overseas locations that include Germany and the United Kingdom.\xe2\x80\x87\xe2\x80\x87A variety of\n                 subject matter expers are recruited                            to serve as members at each location to\n                 assist in preventing and detecting fraud throughout the Air Force.\n\n                 \t29\t\n                        Defense Connect Online is a DoD collaborative tool that includes web conferencing, video application, and desktop sharing.\n\n\n\n\n88 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                             Summary of DoD and External\n                                                                            Organizations\xe2\x80\x99 Fraud Initiatives\n\n\nExternal Organizations\nAmerican Institute of Certified Public Accountants. The AICPA Internal Audit\nand Security Directorate completes an annual fraud risk assessment. Team members\nmeet with high-level stakeholders and discuss their perceived risks and future\ntrends. During the meetings, auditor\xe2\x80\x99s questions focus on the effectiveness of\ninternal controls and the control environment to identify potential fraud risks.\nInterviewees are also asked to provide information about perceived fraud risks\nwithin other components. This information is then compared to the AICPA\xe2\x80\x99s\nstrategic plan to identify situations when management\xe2\x80\x99s goals do not align with\nthe organization\xe2\x80\x99s overall business objectives.\n\nAssociation of American Medical Colleges. AAMC auditors use the annual\nentity-wide risk assessment as a method to teach employees about fraud and\nincrease fraud awareness. The annual risk assessment includes both quantitative\nand qualitative assessments of fraud risks. During the quantitative assessment,\nbusiness unit representatives are asked to consider whether fraud could occur\nwithin their areas. This approach helps to stimulate discussion and get employees\nthinking    about     fraud.   Participants   are   also   required   to   consider   impact\nand opportunity when rating fraud risks. The qualitative component of the risk\nassessment consists of an on-line Risk Assessment Survey which is sent to all risk\nassessment participants. Survey participants are able to respond anonymously\nand report suspected fraud or fraud risks. The survey tool also provides information\nabout internal control improvement opportunities within the organization.\n\nCouncil of the Inspectors General on Integrity and Efficiency Training Institute.\nThe CIGIE Training Institute provides specialized training to a cross-section of the\nOIG community and auditors, inspectors, criminal and administrative investigators,\nHotline operators, attorneys, and others from CIGIE affiliated agencies. Several of\nthe Training Institute\xe2\x80\x99s programs contain blocks of instruction specifically dedicated\nto procurement fraud, its anatomy, uniqueness, risk to the Government, and\ndetection methods. The Training Institute also provides assistance at several\nFederal government seminars and conferences where procurement fraud and its\nrisk are discussed.\n\nGrant Thornton. The Grant Thornton approach for conducting fraud risk\nassessments consists of specific procedures such as:\n\n           \xe2\x80\xa2\t Conducting brainstorming sessions during audit planning to discuss\n             ways in which fraud might occur.         Participants vary depending on the\n\n\n\n                                                                                           DODIG-2014-094\xe2\x94\x82 89\n\x0cSummary of DoD and External\nOrganizations\xe2\x80\x99 Fraud Initiatives\n\n\n                              audit objectives and include experts in the areas of forensic auditing,\n                              information technology, economists, and actuaries.\n\n                            \xe2\x80\xa2\t Asking management, those charged with governance, internal auditors,\n                              and others within the organization for information about potential fraud\n                              and fraud risks.\n\n                            \xe2\x80\xa2\t Documenting an understanding of internal controls designed to prevent\n                              or detect fraud.\n\n                            \xe2\x80\xa2\t Testing to include making relevant inquiries about management override\n                              of controls.\n\n                 KPMG Forensic Practice. KPMG Forensic Practice developed \xe2\x80\x9cFraud Risk\n                 Management, Developing Strategies for Prevention, Detection, and Response\xe2\x80\x9d as\n                 a guide for conducting organization-wide fraud risk assessments. KPMG includes\n                 forensic    specialists     on   all   Federal   financial   statement   audit   engagements.\n                 During organization risk assessments, clients are asked to provide information\n                 about perceived risks by answering the question; \xe2\x80\x9cWhat keeps you up at night?\xe2\x80\x9d\n                 For clients that have undergone prior audits, forensic reviews are tailored to\n                 include perceived fraud risks and past audit results. To ensure productive audit\n                 fraud brainstorming sessions, partners emphasize the importance of professional\n                 skepticism and require participation from an individual with fraud experience.\n\n                 Smart Insights Group, LLC. The organization\xe2\x80\x99s approach to fraud prevention\n                 and detection is summarized with the acronym EATTing, which stands for\n                 Education, Awareness, Testing, and Training. During fraud training, scenarios are\n                 performed live by staff and participants are asked to describe the fraud indicators\n                 they observed. An end-to-end assessment of the procurement lifecycle is used to\n                 assess the risk of fraud. When evaluating the overall impact that fraud has within\n                 an organization, the following areas are considered:\n\n                            \xe2\x80\xa2\t fraud scheme classification,\n\n                            \xe2\x80\xa2\t fraudster profile,\n\n                            \xe2\x80\xa2\t median loss to the business, and\n\n                            \xe2\x80\xa2\t duration of scheme.\n\n                 State of Florida, OIG. The Chief OIG used electronic polling software to determine\n                 the effectiveness of the state\xe2\x80\x99s ethics program. The Florida State OIGs and Agency\n                 managers conducted an entity-wide risk assessment to determine the auditability of\n                 state programs. During the review, OIGs were paired with agency managers, based\n\n\n90 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                           Summary of DoD and External\n                                                                          Organizations\xe2\x80\x99 Fraud Initiatives\n\n\non their subject matter expertise, to conduct brainstorming sessions about fraud\nrisks. The teams considered the results of the ethics poll, past fraud findings, and\nprior investigations during the sessions. The entity-wide risk assessment identified\nhigh-risk programs and audit topics that would improve state agency operations.\n\nState of North Dakota, Office of the State Auditor. Fraud risk assessments\nare conducted about every 2 years by 80 state agencies. The fraud risk\nassessment program is administrated by the State of North Dakota, Office of\nManagement and Budget, and mandatory participation by each division and/or\nfunction is required. Participants include personnel from Finance and Accounting,\nHuman    Resources     Management    (payroll),   Purchasing     and   Contracting,   and\nInformation Technology. The Office of the State Auditor reviews each assessment\nand makes recommendations for improvements, as needed. The assessments\nconsist of a standardized fraud risk assessment template and questionnaires\ndesigned to evaluate an agency\xe2\x80\x99s control environment and computer security policies\nand procedures.\n\nTexas   Tech      University   System.   Auditors   at   Texas     Tech   developed    an\norganization-wide fraud risk assessment approach called the Perception-Based\nApproach for Assessing Fraud Risk. Auditors act as facilitators during each fraud\nrisk assessment session. Experienced employees and subject matter experts at\neach campus are invited to participate and share their perceptions about fraud\nrisks. Auditors develop a Glossary of Fraud Schemes based on the ACFE\xe2\x80\x99s Fraud\nExaminer\xe2\x80\x99s Manual. During the meetings, auditors explain each scheme to\nparticipants and describe how fraud could occur at their campus. Participants\nuse electronic polling software to anonymously rank the fraud schemes using\nattributes such as materiality and likelihood. The auditors report the results\nof the assessments to Texas Tech management. Findings from the fraud risk\nassessments are used to develop fraud awareness training for employees.\n\nUniversity System of Georgia, Board of Regents. The audit organization\nmaintains a list of past frauds occurring at all University locations. When\nperforming an audit in a related area, team members frequently duplicate past\nprocedures to increase the likelihood of detecting fraud. Auditors that worked on\nprior fraud cases often participate in the current fraud risk assessment to promote\ntransfer of talent among staff. Team members also consider the number and\nfrequency of human resources complaints because they previously observed a\nhigh correlation between complaints and increased risk of fraud.\n\n\n\n\n                                                                                         DODIG-2014-094\xe2\x94\x82 91\n\x0cSummary of DoD and External\nOrganizations\xe2\x80\x99 Fraud Initiatives\n\n\n                 University of Georgia, Terry College of Business. The University partnered with\n                 the American Accounting Association and conducted extensive research to identify\n                 best practices for conducting auditor fraud brainstorming sessions. Studies showed\n                 that several factors enhanced the effectiveness of auditor brainstorming sessions\n                 such as whether the session was led by a partner or forensic specialist, the extent of\n                 discussions about how management might perpetrate fraud, and discussions about\n                 audit responses to fraud risk. Research revealed that the use of numeric risk\n                 rankings is more effective when compared to the frequently used risk rankings of\n                 high, medium, or low.30\n\n                 Yale New Haven Health System. Yale New Haven Health System outsourced its\n                 Internal Audit Function to Deloitte, LLP. The entity completes an annual entity-wide\n                 risk assessment, which includes an evaluation of fraud risk.                                        Internal Audit also\n                 performs an annual risk assessment which includes interviews with executives to\n                 assess fraud risk. Based on the results of the interviews and identification of fraud\n                 risks, Internal Audit develops a survey. The survey is sent to all employees, and\n                 anonymous responses are permitted. Demographic queries such as department,\n                 supervisory or nonsupervisory employees, are documented to assist with analyzing\n                 responses. Follow-up interviews are then conducted, which focus on higher fraud\n                 risk areas and activities.\n\n\n\n\n                 \t30\t\n                        American Accounting Association, \xe2\x80\x9cAuditors\xe2\x80\x99 Use of Brainstorming in the Consideration of Fraud: Reports from the Field,\xe2\x80\x9d\n                        Joseph F. Brazel, North Carolina State University, Tina D. Carpenter, University of Georgia, J Gregory Jenkins,\n                        Virginia Polytechnic Institute and State University, 2010.\n\n\n\n\n92 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                           Appendixes\n\n\nAppendix A\nScope and Methodology\nThis review was self-initiated. We conducted 100 interviews with subject matter\nexperts, representing 45 organizations from the public and private sectors to\nidentify approaches for assessing fraud risk, developing fraud awareness training\nprograms, and obtaining information about fraud indicators and schemes. Subject\nmatter experts included auditors, forensic auditors, investigators, attorneys,\nacademics, and engineers. Interview question responses were evaluated to identify\nthe most effective approaches for establishing fraud risk assessment programs\nand conducting fraud risk assessments for auditors. Additionally, we conducted\nbackground research to identify established approaches for both public and private\nsector organizations. The following organizations participated in the review:\n\n\nDepartment of Defense\n        \xe2\x80\xa2\t Army and Air Force Exchange Service, Audit Division\n\n        \xe2\x80\xa2\t Defense Commissary Agency, OIG, Audit Division\n\n        \xe2\x80\xa2\t Defense Contract Management Agency, Contract Integrity Center\n\n        \xe2\x80\xa2\t Defense Contract Management Agency, Internal Review\n\n        \xe2\x80\xa2\t Defense Information Systems Agency, OIG, Audit\n\n        \xe2\x80\xa2\t Defense Information Systems Agency, OIG, Investigations\n\n        \xe2\x80\xa2\t Defense Logistics Agency, OIG, Audit Division\n\n        \xe2\x80\xa2\t Defense Logistics Agency, OIG, Investigations Division\n\n        \xe2\x80\xa2\t Defense Logistics Agency, Office of General Counsel\n\n        \xe2\x80\xa2\t DoD OIG, Office of the Deputy Inspector General for Audit\n\n        \xe2\x80\xa2\t DoD OIG, Office of the Deputy Inspector General for Policy and Oversight\n\n        \xe2\x80\xa2\t DoD OIG, Office of General Counsel\n\n        \xe2\x80\xa2\t DoD OIG, Defense Criminal Investigative Service\n\n        \xe2\x80\xa2\t Missile Defense Agency, Managers\xe2\x80\x99 Internal Control Program\n\n\n\n\n                                                                                      DODIG-2014-094 \xe2\x94\x82 93\n\x0cAppendixes\n\n\n                       \xe2\x80\xa2\t Missile Defense Agency, Internal Review\n\n                       \xe2\x80\xa2\t Missile Defense Agency, Quality, Safety, and Mission Assurance\n\n                       \xe2\x80\xa2\t National Geospatial Agency-Intelligence, OIG, Investigations\n\n                       \xe2\x80\xa2\t Office of the Under Secretary of Defense, Comptroller, Financial\n                         Improvement and Audit Readiness\n\n                       \xe2\x80\xa2\t Office of the Under Secretary of Defense, Acquisition, Technology, and\n                         Logistics, Defense Procurement and Acquisition Policy\n\n                       \xe2\x80\xa2\t Tricare Management Activity, Program Integrity Office\n\n                 Department of the Army\n                       \xe2\x80\xa2\t Army Audit Agency\n\n                       \xe2\x80\xa2\t Army Criminal Investigation Command\n\n                 Department of the Navy\n                       \xe2\x80\xa2\t Office of Inspector General Marine Corps\n\n                       \xe2\x80\xa2\t Marine Corps Nonappropriated Funds Audit Service\n\n                       \xe2\x80\xa2\t Marine Corps Risk and Compliance\n\n                       \xe2\x80\xa2\t Naval Audit Service\n\n                       \xe2\x80\xa2\t Naval Criminal Investigative Service\n\n                       \xe2\x80\xa2\t Naval Sea Systems Command, Office of the Inspector General\n\n                       \xe2\x80\xa2\t Navy Exchange Service Command, Office of Internal Audit\n\n                       \xe2\x80\xa2\t Risk Management and Compliance Branch\n\n                 Department of the Air Force\n                       \xe2\x80\xa2\t Air Force Audit Agency\n\n                       \xe2\x80\xa2\t Air Force Office of General Counsel\n\n                       \xe2\x80\xa2\t Air Force Office of Special Investigations\n\n\n\n\n94 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                            Appendixes\n\n\nOther Organizations\n     \xe2\x80\xa2\t American Institute of Certified Public Accountants\n\n     \xe2\x80\xa2\t Association of American Medical Colleges\n\n     \xe2\x80\xa2\t Council of the Inspectors General on Integrity and Efficiency, Training Institute\n\n     \xe2\x80\xa2\t Grant Thornton\n\n     \xe2\x80\xa2\t KPMG Forensic Practice\n\n     \xe2\x80\xa2\t Smart Insights Group, LLC\n\n     \xe2\x80\xa2\t State of Florida, OIG\n\n     \xe2\x80\xa2\t State of North Dakota, Office of the State Auditor\n\n     \xe2\x80\xa2\t Texas Tech University System\n\n     \xe2\x80\xa2\t University of Georgia, Board of Regents\n\n     \xe2\x80\xa2\t University of Georgia, Terry College of Business\n\n     \xe2\x80\xa2\t Yale New Haven Health System\n\n\n\n\n                                                                                       DODIG-2014-094 \xe2\x94\x82 95\n\x0cAppendixes\n\n\n                 Appendix B\n                 Example Naval Audit Service Performance Audit Fraud\n                 Risk Policy\n                      1.\t   Areas Susceptible to Fraud\n\n                            a.\t GAGAS requires that in planning performance audits, auditors should\n                               assess risks of fraud occurring that are significant within the context\n                               of the audit objectives.\n\n                               \xe2\x80\xa2\t Audit team members should discuss, among the team, fraud\n                                  risks, including factors such as individuals\xe2\x80\x99 incentives or pressures\n                                  to commit fraud, the opportunity for fraud to occur, and\n                                  rationalizations or attitudes that could allow individuals to\n                                  commit fraud.\n\n                               \xe2\x80\xa2\t Auditors should gather and assess information to identify risks of\n                                  fraud that are significant within the scope of the audit objectives or\n                                  that could affect the findings and conclusions. For example,\n                                  auditors may obtain information through discussions with officials\n                                  of the audited entity, or through other means to determine the\n                                  susceptibility of the program to fraud, the status of internal\n                                  controls the entity has established to detect and prevent fraud or\n                                  the risk that officials of the audited entity could override internal\n                                  controls. An attitude of professional skepticism in assessing these\n                                  risks assists auditors in assessing which factors or risks could\n                                  significantly affect the audit objectives.\n\n                               \xe2\x80\xa2\t When auditors identified factors or risks related to fraud that\n                                  has occurred, or is likely to have occurred, that they believe are\n                                  significant within the context of the audit objectives, they should\n                                  design procedures to provide reasonable assurance of detecting\n                                  such fraud. Assessing the risk of fraud is an ongoing process\n                                  throughout the audit and related not only to planning the audit\n                                  but also to evaluating evidence obtained during the audit.\n\n\n\n\n96 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                            Appendixes\n\n\n   \xe2\x80\xa2\t When information comes to the auditors\xe2\x80\x99 attention that indicates\n     that fraud significant within the context of the audit objectives\n     may have occurred, auditors should extend the audit steps and\n     procedures, as necessary, to determine whether fraud has likely\n     occurred and if so, determine its effect on the audit findings.\n     The audit managers should inform senior audit management of\n     the potential fraud before extending their audit steps and\n     procedures, and use their professional judgment in determining\n     the nature and extent of additional audit steps and procedures\n     to be performed. Each audit is unique, and any additional\n     procedures performed should be determined on a case-by-case\n     basis. As determined necessary, audit managers should also\n     consider consulting with the agency Fraud Monitor for guidance.\n\n   \xe2\x80\xa2\t If the fraud that may have occurred is not significant within the\n     context of the audit objectives, the auditors should immediately\n     make their chain of command aware of the potential fraud. Audit\n     management will decide whether to address the potential fraud\n     as part of the ongoing effort, or as a spin off audit effort by the\n     same or another audit team. With senior audit management\n     approval, a decision may be made to refer the matter to other\n     parties with oversight responsibility or jurisdiction.\n\nb.\t Auditors should never conclude that because an activity has good\n   internal controls, it is unlikely that fraud exists. In any audited\n   program, seemingly good internal controls can fail, (e.g., management\n   and employees can inappropriately bypass or override internal\n   controls, and a changing environment or collusion can cause\n   internal controls to be ineffective in preventing fraud). Auditors\n   need to consider in advance of site visits potential fraud schemes\n   that could apply, and be aware of red flags that could be indicative\n   that fraud may have occurred. Auditors must complete the Fraud\n   Risk Matrix when performing their work.\n\nc.\t When auditors identify factors or risks related to fraud that has\n   occurred, or is likely to occur, that they believe are significant\n   within the context of the audit objectives, they should design\n   procedures to provide reasonable assurance of detecting such fraud.\n\n\n\n\n                                                                       DODIG-2014-094 \xe2\x94\x82 97\n\x0cAppendixes\n\n\n                         If subsequent to the completion of the fraud risk assessment,\n                         information comes to the auditors\xe2\x80\x99 attention that fraud may have\n                         occurred that is significant within the context of the audit\n                         objectives, auditors should extend the audit steps and procedures, as\n                         necessary, to determine whether the fraud has likely occurred, and\n                         if so, determine its effect on the audit findings.\n\n                      d.\t As part of the fraud risk assessment, the audit team should\n                         identify those aspects of the planned work that involve potential\n                         fraud that could significantly impact the results of the audit.\n                         The team should prepare a work paper documenting the\n                         completion of the fraud risk assessment, including the results\n                         of the fraud risk assessment, and the impact of fraud risks on the\n                         nature, timing, and extent of audit procedures.\n\n                      e.\tMonitoring       Fraud   Risk    Assessments.        In   order   to   ensure\n                         documentation of compliance with GAGAS and agency standards\n                         for fraud risk assessments, Executive Assistants are required\n                         to monitor fraud risk assessments for each audit and work with\n                         auditors as needed to ensure that the audit team understands\n                         the requirements in the fraud risk assessment process.\n\n                         (1)\t A Fraud Risk Assessment Checklist has been developed to\n                              ensure completeness and consistency for conducting fraud\n                              risk assessments. The checklist is to be completed by both the\n                              audit teams and the Executive Assistants.\n\n                              \xe2\x80\xa2\t The audit team will complete the work paper reference\n                                 column in order to assist Executive Assistants in their review\n                                 of fraud risk assessments. Audit teams are encouraged to\n                                 complete the checklist and send it to their Executive Assistant\n                                 for review as early in the audit process as possible to avoid\n                                 a delay in issuing the report.\n\n                              \xe2\x80\xa2\t Executive Assistants will review the referenced documentation\n                                 and place a checkmark in the appropriate column for each\n                                 audit,   verifying    whether     the   referenced    work     paper\n                                 documentation supports completion of the corresponding\n                                 GAGAS requirement.\n\n\n\n\n98 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                          Appendixes\n\n\n      (2)\t Special Concerns for Surveys of Major Procurement and Contract\n           Administration Functions\n\n           During     the   survey   phase   of   major   procurement   and   contract\n           administration audits, auditors should determine the existence and\n           consider the impact of audits issued by the Defense Contract Audit\n           Agency. Such reports should be available at the command under review.\n           If not, copies should be requested. Auditors should also determine\n           during the survey phase whether any related contracts are administered\n           by organizations other than the Department of the Navy, such as:\n           Defense Contract Management Agency, Department of the Army, or\n           Department of the Air Force.\n\nFraud Risk Assessment Checklist\nMonitoring Fraud Risk Assessments\nTo ensure documentation of compliance with GAGAS and internal standards for fraud\nrisk assessments, Executive Assistants, or other audit organization designees, are\nrequired to monitor the fraud risk assessment for each audit and work with\nauditors as needed to ensure that the audit team understands the requirements\nin the fraud risk assessment process. All Executive Assistants must complete the\nFraud Risk Assessment Checklist for each audit and certify completion of this\nrequirement on the Referencing Certification form. All questions are to be answered\nby going to source work papers (not summary work papers).\n\nThe first three items on the checklist are mandatory for every audit. The audit\nteam should complete the Work Paper Reference column, and the reviewer must\nindicate \xe2\x80\x9cYes\xe2\x80\x9d or \xe2\x80\x9cNo\xe2\x80\x9d as applicable. The last two questions are applicable to the\nExecutive Assistant only if fraud risk indicators were identified. If the team did\nnot identify any fraud risk indicators, they should list \xe2\x80\x9cN/ A\xe2\x80\x9d in the Work Paper\nReference column for those questions.\n\nQuestions that initially result in a \xe2\x80\x9cNo\xe2\x80\x9d require the Project Manager to take\nappropriate action.     If corrective action is taken by the Project Manager, the\nExecutive Assistant should then change the \xe2\x80\x9dNo\xe2\x80\x9d to \xe2\x80\x9dYes.\xe2\x80\x9d All unresolved issues\nmust be elevated to the Assistant Auditor General.\n\n\n\n\n                                                                                     DODIG-2014-094 \xe2\x94\x82 99\n\x0cAppendixes\n\n\n                 Table B-1. Auditor Fraud Checklist\n\n                                                                                  Workpaper\n                                            Question                                          Yes   No\n                                                                                  Reference\n                   1.\t In planning the audit, did the audit team assess\n                       risks of fraud occurring that is significant within the\n                       context of the audit objectives? (GAGAS 6.30)\n                   2.\t Did the auditors document the discussion of fraud\n                       risks among the team members? (GAGAS 6.30)\n                   3.\t Did the team thoroughly document the fraud risk\n                       assessment, including audit procedures performed\n                       evidence obtained, and conclusions reached that\n                       support the auditors\' conclusion on fraud risk?\n                       (GAGAS 6.79)\n                   4.\t If auditors identified factors or risks related to fraud\n                       that has occurred or likely to have occurred that\n                       they believe are significant within the context of the\n                       audit objectives, did the team design procedures to\n                       provide reasonable assurance of detecting fraud?\n                       (GAGAS 6.31)\n                   5.\t If there are indications that fraud that is significant\n                       within the context of the audit objectives may have\n                       occurred, did the auditor extend the audit steps and\n                       procedures to: (1) determine whether fraud has\n                       likely occurred, and (2) if so, determine its effect on\n                       the audit findings? (GAGAS 6.32)\n                 Note: Boxes Highlighted in Yellow Must be Completed\n\n\n                 Example Draft and Final Report Cross-Referencing and\n                 Referencing Certification\n                 Prior to release or issuance of the draft report, I completed the Fraud Risk\n                 Assessment Checklist to ensure the fraud risk assessment has been completed and\n                 that it contains documentation of compliance with GAGAS and agency policies\n                 and procedures.\n\n                 Signature:\n\n                 Executive Assistant, or\n\n                 Other Organization Designee Signature:\n\n\n                 Performance Audit Tool: Fraud Risk Matrix \xe2\x80\x93 Considering Whether Fraud is\n                 Significant to Performance Audit Objectives\n                 The team should answer the following questions as part of their consideration of\n                 the risks due to fraud that could significantly affect their audit objectives and the\n                 results of their audit. When responding to the questions below, consider that\n                 some activities are more susceptible to fraud than others. For example, if the\n\n\n\n100 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                             Appendixes\n\n\naudit objective focuses on the authorized use of purchase cards, fraud could be\nsignificant to the audit objectives if the program lacked adequate internal controls\nover the possession and use of purchase cards.\n\nTable B-2. Auditor Fraud Risk Matrix\n\n                                                                                    If \xe2\x80\x9cY(es),\xe2\x80\x9d the\n                                                                                    risk of fraud is\n                                                                                     relevant and\n                      Consideration of Risk Due to Fraud                              potentially\n                                                                                  significant to the\n                                                                                  audit objectives\n 1.\t In the team\xe2\x80\x99s judgment, was the program or activity covered by the audit\n     objectives susceptible to a significant risk of fraud from:\n     \xe2\x80\xa2\t Misappropriation or misuse of program assets; or\n     \xe2\x80\xa2\t Misstatement or misrepresentation of program information or\n        results in order to obtain or continue receiving government funding\n        or benefits?\n 2.\t Did the team identify conditions, such as the following, that might\n     indicate a heightened risk of fraud?\n     \xe2\x80\xa2\t The entity\xe2\x80\x99s financial stability, viability, or budget is threatened by\n        economic, programmatic, or entity operating conditions;\n     \xe2\x80\xa2\t The nature of the audited entity\xe2\x80\x99s operations provided opportunities to\n        engage in fraud;\n     \xe2\x80\xa2\t Poorly designed internal controls that provide the opportunity for\n        fraud to occur and not be identified by existing management and\n        oversight processes;\n     \xe2\x80\xa2\t Weak management that fails to enforce existing internal controls or\n        provide adequate oversight over the control process;\n     \xe2\x80\xa2\t Inadequate separation of duties, especially those that relate to\n        controlling and safeguarding resources;\n     \xe2\x80\xa2\t Inadequate monitoring by management for compliance with policies,\n        laws, and regulations;\n     \xe2\x80\xa2\t The organizational structure is unstable or unnecessarily complex;\n     \xe2\x80\xa2\t Transactions that are out of the ordinary and are not satisfactorily\n        explained, such as unexplained adjustments in performance or\n        financial information;\n     \xe2\x80\xa2\t Repeated use of sole-source contracting;\n     \xe2\x80\xa2\t Instances when employees of the audited entity refused to take\n        vacations or accept promotions;\n     \xe2\x80\xa2\t Lack of communication and/or support for ethical standards\n        by management;\n     \xe2\x80\xa2\t Management has a willingness to accept unusually high levels of\n        risk in making significant decisions;\n     \xe2\x80\xa2\t A history of impropriety, such as previous issues with fraud, waste,\n        abuse, or questionable practices, or past audits or Investigations\n        with findings of questionable or criminal activity;\n     \xe2\x80\xa2\t Operating policies and procedures have not been developed or\n        are outdated;\n     \xe2\x80\xa2\t Key documentation is lacking, altered, does not exist, or there are\n        unexplained delays in providing information;\n\n\n\n\n                                                                                                       DODIG-2014-094 \xe2\x94\x82 101\n\x0cAppendixes\n\n\n                                                                                                     If \xe2\x80\x9cY(es),\xe2\x80\x9d the\n                                                                                                     risk of fraud is\n                                                                                                      relevant and\n                                        Consideration of Risk Due to Fraud                             potentially\n                                                                                                   significant to the\n                                                                                                   audit objectives\n                       \xe2\x80\xa2\t Lack of asset accountability or safeguarding procedures;\n                       \xe2\x80\xa2\t Improper payments;\n                       \xe2\x80\xa2\t False or misleading information;\n                       \xe2\x80\xa2\t A pattern of large procurements in any budget line with remaining\n                          funds at year end, in order to \xe2\x80\x9cuse up all of the funds available\xe2\x80\x9d; or\n                       \xe2\x80\xa2\t Unusual patterns and trends in contracting, procurement, acquisition,\n                          and other activities of the entity or program under audit.\n                   3.\t Had the team identified indications of potential fraud in areas that fall\n                       outside the audit objectives that could have a significant impact on\n                       program or function operations or reputation? (Use the same indicators\n                       discussed in question 2 in making this assessment.)\n                   4.\t Had the team identified strong indications that potential fraud occurred,\n                       regardless of significance to the audit objectives, that could pose a\n                       reputation risk to the Department of the Navy if exposed to\n                       the public?\n\n\n                 Procedures for Coordinating with Other Organizations\n                 The audit team should determine whether the OIG for the activity being audited\n                 has identified through investigations or other means any questionable or criminal\n                 activity in the program that is significant to the audit objectives and whether there\n                 have been any Hotline or other complaints related to the audit objective. This\n                 may be accomplished through inquiry and/or a review of any applicable Hotline\n                 complaints, published investigation reports, or other written documents. The\n                 audit team should coordinate with their chain of command to determine if they\n                 have received copies of any Hotline complaints or referrals that are significant\n                 either to the audit objectives or that identify potential fraud, and are outside the\n                 potential objectives. Auditors must include a slide in the 90-day survey briefing for\n                 senior audit management that discusses the results of the fraud risk assessment.\n\n\n                 Actions Required if There Are Indications of Fraud\n                 If the auditors answered \xe2\x80\x9cYes\xe2\x80\x9d to question 1, 2, 3, or 4 in Table B-2, or if the\n                 auditors identified other indications of fraud during coordination with the activity\n                 OIG, Fraud Monitor, or any other individual they should inform senior audit\n                 management. The Fraud Monitor will be available (as requested) to meet with the\n                 Project Manager and/or Audit Director to discuss any potential fraud issues.\n\n\n\n\n102 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                         Appendixes\n\n\nAdditional Audit Program Requirements\nWhen the auditors identified factors or risks related to fraud that has occurred,\nor is likely to have occurred, that they believe are significant within the context\nof the audit objectives, they should design procedures to provide reasonable\nassurance of detecting such fraud. If subsequent to the completion of the fraud risk\nassessment, information comes to the auditors\xe2\x80\x99 attention that fraud may have\noccurred that is significant within the context of the audit objectives, the auditors\nshould extend the audit steps and procedures, as necessary, to determine whether\nthe fraud has likely occurred, and if so, determine its effect on the audit findings.\n\n\nDocumenting the Impact of Fraud on Audit Planning\nAs part of the fraud risk assessment, the audit team should identify those aspects\nof the planned work that involve potential fraud that could significantly impact the\nresults of the audit. The team should prepare a work paper documenting the\ncompletion of the fraud risk assessment, including the results of the fraud risk\nassessment, and the impact of fraud risks on the nature, timing, and extent of\naudit procedures.\n\n\n\n\n                                                                                   DODIG-2014-094 \xe2\x94\x82 103\n\x0cAppendixes\n\n\n                 Appendix C\n                 Example Naval Audit Service Fraud Risk Assessment\n                 Work Paper\n                 Work Paper Title: Planning\n                 Step Title: Fraud Risk Assessment\n                 Prepared By: Auditor, Date\n                 Reviewed By: Audit Manager, Date\n\n                 Purpose: Discuss with audit team members, and the auditee, potential fraud\n                 risks, considering fraud factors such as individuals\xe2\x80\x99 incentives or pressures to\n                 commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes\n                 that could allow individuals to commit fraud;\n\n                          \xe2\x80\xa2\t Gather and assess information necessary to identify fraud risks that are\n                             within the scope of the audit objectives, or could affect the results of\n                             their audit.\n\n                          \xe2\x80\xa2\t Complete the Fraud Risk Matrix and the Fraud Assessment Checklist and\n                             attach to this audit step.\n\n                 Criteria: GAGAS December 2011 Revision, paragraph 6.30, states that in planning\n                 audits, auditors should consider risks due to fraud that could significantly affect\n                 their audit objectives and the results of their audit.\n\n                 Source: Audit Program (Additional detail should be provided for source as deemed\n                 appropriate for conducting the fraud risk assessment.)\n\n                 Audit Personnel: List engagement personnel\n\n                 Scope/Methodology: The team discussed the Fraud Risk Matrix and the\n                 environment with the auditee to determine if the potential for fraud existed and to\n                 ensure that the audit objectives captured any areas of risk.\n\n                 Results: After discussing considerations outlined in the Fraud Risk Matrix, the\n                 team determined that the potential risk of fraud for the auditee is significant to the\n                 audit objectives. Box 1 of the Fraud Risk Matrix states, \xe2\x80\x9cIn the team\xe2\x80\x99s judgment,\n                 is the program or activity covered by the audit objectives susceptible to a\n\n\n\n\n104 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                               Appendixes\n\n\nsignificant risk of fraud from, 1) misappropriation or misuse of program assets; or\n2) misstatement or misrepresentation of program information or results in order\nto obtain or continue receiving government funding or benefits.\xe2\x80\x9d The audit team\nfelt that the auditee was susceptible to both of these risks based on information\nobtained thus far. The information obtained showed that the organization received\nmoney through multiple funding streams. To date, the organization was not able\nto present team members with an acceptable audit trail and supporting\ndocumentation regarding how the funds were received and disbursed.\n\nBox 2 of the Fraud Risk Matrix states, \xe2\x80\x9cDid the team identify conditions, such as the\nfollowing, that might indicate a heightened risk of fraud?\xe2\x80\x9d Below are some of the\nmain points team members discussed regarding fraud risks:\n\n        \xe2\x80\xa2\t \xe2\x80\x9cThe nature of the audited entity\xe2\x80\x99s operations provides opportunities\n           to engage in fraud.\xe2\x80\x9d The audit team felt that this was a fraud risk because\n           the organization\xe2\x80\x99s mission requires employees to travel extensively.\n           During some of the preliminary analysis, the audit team noticed that\n           the internal controls over the travel process may be weak (missing\n           receipts, lack of proper scrutiny, and excess expenses claimed). Therefore,\n           we believe the extensive travel paired with the weak internal controls\n           provide an opportunity for fraud to occur.\n\n        \xe2\x80\xa2\t \xe2\x80\x9cThe organizational structure is unstable or unnecessarily complex.\xe2\x80\x9d\n           The positions at the audited entity are constantly changing. The audit\n           team was told by employees of the auditee that they are unsure of\n           their position titles because the organizational structure has frequently\n           changed. The audit team noted that some employees\xe2\x80\x99 titles differ from\n           what is listed on their position descriptions and the job functions they\n           are performing.\n\n        \xe2\x80\xa2\t \xe2\x80\x9cA   history   of   impropriety,   such   as   previous   issues   with   fraud,\n           waste, abuse, or questionable practices, or past audits or investigations\n           with findings of questionable or criminal activity.\xe2\x80\x9d The audit team\n           obtained two\xc2\xa0 investigations that were conducted at the organization,\n           one\xc2\xa0 completed in 2000 and the other in 2011; both of these\n           investigations contained similar findings. The investigations mentioned\n           the possibility of inappropriate use of funds, i.e. funds not being used\n           for their intended purpose. The investigations also mentioned possible\n\n\n\n\n                                                                                         DODIG-2014-094 \xe2\x94\x82 105\n\x0cAppendixes\n\n\n                         abuse of travel within the organization.      Although we have not proven\n                         any of the accusations detailed in the investigation at this time, we\n                         believe that the potential risk of fraud was higher, based on the results\n                         of the prior investigations.\n\n                       \xe2\x80\xa2\t \xe2\x80\x9cOperating policies and procedures have not been developed or are\n                         outdated.\xe2\x80\x9d The audit team reviewed the hiring practices of the\n                         organization. The review disclosed that the auditee was lacking policies\n                         or procedures related to hiring new employees. As a result, we feel that\n                         the lack of official guidance provides opportunities to circumvent\n                         Federal hiring laws and regulations.\n\n                       \xe2\x80\xa2\t \xe2\x80\x9cImproper Payments.\xe2\x80\x9d The audit team has documented several instances\n                         of excessive mileage claimed on traveler\xe2\x80\x99s vouchers. The excess mileage\n                         was sometimes double what it should have been, resulting in\n                         over payments to the travelers. The audit team also encountered\n                         questionable items on traveler\xe2\x80\x99s vouchers that did not contain receipts\n                         or supporting documentation, i.e. cancelled airfare claimed on a voucher.\n\n                       \xe2\x80\xa2\t \xe2\x80\x9cFalse or misleading information.\xe2\x80\x9d The audit team interviewed the\n                         Travel Manager and were told that there are no Self-Approving Officials.\n                         Upon further investigation, the team identified one traveler (the Travel\n                         Manager) listed in DTS as a Self-Approving Official.\n\n                       \xe2\x80\xa2\t Box 3 of the Fraud Risk Matrix stated, \xe2\x80\x9cHas the team identify indications\n                         of potential fraud in areas that fall outside the audit objectives that could\n                         have a significant impact on program or function operations or\n                         reputation?\xe2\x80\x9d The audit team answered no to this question. However, we\n                         identified high-risk areas that fall outside the audit objectives that could\n                         have a significant impact on the program, function, operations, and\n                         reputation. Our opinion is based on a procurement audit that is currently\n                         being performed by another Federal audit organization (in response to\n                         the 2011 investigation). Additionally, the auditee employs a large number\n                         of contractors, in comparison to the number of Government employees.\n                         This situation could potentially lead to contractors performing inherently\n                         governmental tasks.\n\n\n\n\n106 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                          Appendixes\n\n\nFraud \xe2\x80\x93 Results:\nBox 4 of the Fraud Risk Matrix stated, \xe2\x80\x9cHas the team identify strong indications\nthat potential fraud actually occurred, regardless of significance to the audit\nobjectives, that could pose a reputation risk to the Department of the Navy if exposed\nto the public?\xe2\x80\x9d The audit team answered yes to this question based on our analysis\nof travel vouchers.       We observed excess mileage claims, missing receipts for\nairfare and lodging, and one voucher that claimed reimbursement for a cancelled\nairfare ticket.\n\nThe Fraud Risk Matrix includes a requirement for auditors to coordinate with\ntheir chain of command to determine if there were any Hotline complaints or\nreferrals that are significant either to the audit objectives or that identify\npotential fraud that were outside the objectives. The Fraud Risk Matrix stated that\nthe Fraud Risk Monitor would be available (as requested) to meet with audit\nmanagement to discuss any potential fraud issues. Based on the audit team\xe2\x80\x99s\nassessment of the Fraud Risk Matrix, we determined that a meeting should be\nrequested with the Fraud Monitor.\n\nThe team also completed the fraud assessment checklist and referenced the\napplicable work papers.\n\nConclusion:\nThe audit team developed audit objectives to detect fraud and reduce fraud risk\nbased on the results of the Fraud Risk Matrix.\n\n\n\n\n                                                                                    DODIG-2014-094 \xe2\x94\x82 107\n\x0cAppendixes\n\n\n                 Appendix D\n                 Example DoD OIG, Fraud Interview Questionnaire \xe2\x80\x93\n                 Financial Statement Audit\n                                  AICPA, Statement on Auditing Standards 99, Consideration of Fraud\n                                       in a Financial Statement Audit Interview Questionnaire\n                   Interviewee:\n                   Interviewee Title:\n                   External Audit Organization Interviewers:\n                   OIG representative(s):\n                   Date of interview:\n\n\n                 I.\t    Business Risks Faced\n\n                        1.\t   Without regard to fraud and abuse, what are the key business risks that\n                              you face in carrying out your office\xe2\x80\x99s responsibilities?\n\n                        2.\t   Did these business risks affect other offices outside your span of control?\n\n                        3.\t   What have you done to address these business risks as it relates to\n                              instituting/strengthening internal controls and revising processes?\n\n                 II.\t   Fraud Awareness\n\n                        1.\t   How long have you been in this position?\n\n                        2.\t   How long have you been with the organization?\n\n                        3.\t   Do you have any knowledge of any fraud that has been perpetrated, or any\n                              alleged or suspected fraud perpetrated against the organization?\n\n                        4.\t   Do you have any knowledge of allegations or actual fraudulent\n                              reporting, that is to say, knowledge that raw data or reports are being or\n                              have been manipulated to present reported results which differ from the\n                              actual results?\n\n                        5.\t   Do you have any knowledge of misstated balances that were knowingly\n                              reported at the end of a period, hoping that those balances would correct\n                              themselves in the subsequent reporting period?\n\n\n\n\n108 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                           Appendixes\n\n\n      6.\t   Do you have any knowledge of allegations or actual misappropriation\n            of assets by individuals at the organization, or knowledge of individuals\n            inappropriately incurring obligations for which the entity will be\n            responsible for settling?\n\n      7.\t   Do you have any knowledge of anyone within the organization\xe2\x80\x99s\n            management team overriding or subverting internal controls, or concerns\n            of any potential opportunities for such overrides to be perpetrated?\n\n      8.\t   Are you aware of any pressures or incentives at any level of management\n            that might contribute to fraudulent activities?\n\n      9.\t   Are your annual performance ratings tied to any benchmarks for financial\n            performance and/or reporting metrics?\n\n      10.\t Do you perceive the risks of fraud to exist within your office, and what\n            controls did you rely upon to mitigate the risks of fraud?\n\n      11.\t Do you feel that agency management was honest and forthright, and\n            do you feel comfortable approaching management if you had any issues\n            or concerns?\n\n      12.\t Do you feel that agency management and staff receive the proper training\n            and supervision to perform their duties?\n\n      13.\t If you were to become aware of, or suspect, an act of fraud or other\n            illegal activity, what steps would you take to address it, and who would\n            you notify?\n\n      14.\t Are you aware of any additional offices for which a risk of fraud may be\n            more likely to exist than others, or are of specific concern to you? .\n\n      15.\t Do you believe that there are any members of internal or external\n            senior management who are unfit to perform their assigned duties, or\n            should not hold a position of authority?\n\nIII.\tConclusion\n\nGiven what we have discussed today, is there anything else that you would like to\nbring to our attention?\n\n\n\n\n                                                                                     DODIG-2014-094 \xe2\x94\x82 109\n\x0c  Appendixes\n\n\n  Appendix E\n  Example IIA, AICPA, ACFE, Fraud Risk Assessment Framework\n  Table E is for illustrative purposes and focuses solely on potential revenue recognition risks within financial reporting.31 A full fraud risk assessment\n  would consider fraudulent financial reporting in other areas relevant to the organization, such as accounts subject to estimation, related-party\n  transactions, and inventory accounting. In addition, the risk of misappropriation of assets, corruption, and other misconduct would be assessed in the\n  same manner.\n\n  Table E. Example Financial Reporting Fraud Risk Assessment\n                                                                                                                                                 Controls\n          Identified Fraud                                                         People and/or                                              Effectiveness                        Fraud Risk\n         Risks and Schemes              Likelihood            Significance          Department          Existing Anti-fraud Controls          Assessment       Residual Risks      Response\n                 (1)                        (2)                    (3)                  (4)                          (5)                            (6)             (7)                (8)\n    Financial Reporting              Reasonably             Material              Sales            Controlled contract                      Tested by IA       N/A              Periodic\n    Revenue recognition              possible                                     personnel        administration system                                                        testing\n    Backdating                                                                                                                                                                  by IA\n    agreements\n    Holding books open               Reasonably             Material              Accounting       1.\t Standard monthly close process       1.\t Tested by IA   Risk of          Testing of late\n                                     possible                                                      2.\t Reconciliation of invoice register   2.\t Tested by      management       journal entries\n                                                                                                       to general ledger                        management     override\n                                                                                                                                                                                Cut off testing\n                                                                                                   3.\t Established procedures for           3.\t Tested by IA                    by IA\n                                                                                                       shipping, invoicing, and revenue     4.\t Tested by IA\n                                                                                                       recognition\n                                                                                                   4.\t Established process for\n                                                                                                       consolidation\n\n\n\n\n  \t31\t\n         IIA, AICPA, ACFE, \xe2\x80\x9cManaging the Business Risk of Fraud: A Practical Guide,\xe2\x80\x9d not dated.\n\n\n\n110 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                                                                          Appendixes\n\n\n                                                                                                                     Controls\n  Identified Fraud                                     People and/or                                              Effectiveness                        Fraud Risk\n Risks and Schemes        Likelihood    Significance    Department            Existing Anti-fraud Controls        Assessment       Residual Risks      Response\n         (1)                  (2)            (3)            (4)                            (5)                          (6)             (7)                (8)\nLate shipments          Reasonably     Significant     Shipping dept.   1.\t Integrated shipping system,         1.\t Test by IA     Risk of          Cut off\n                        possible                                            linked to invoicing and sales       2.\t Tested by      management       testing\n                                                                            register                                management     override         by IA\n                                                                        2.\t Daily reconciliation of shipping    3.\t Tested by IA\n                                                                            log to invoice register\n                                                                        3.\t Required management approval\n                                                                            of manual invoices\nSide letters/           Probable       Material        Sales            1.\t Annual training of sales and        1.\t Tested by      Risk of          Disaggregated\nagreements                                             personnel            finance personnel on revenue            management     override         analysis of sales,\n                                                                            recognition practices               2.\t Tested by                       sales returns,\n                                                                        2.\t Quarterly signed attestation of         management                      and adjustments\n                                                                            sales personnel concerning extra                                        by salesperson\n                                                                            contractual agreements\n                                                                        3.\t Internal audit confirming with\n                                                                            customers that there are no\n                                                                            other agreements, written or\n                                                                            oral, that would modify the terms\n                                                                            of the written agreement\nInappropriate journal   Reasonably     Material        Accounting       1.\t Established process for             1.\t Tested by IA   1.\t Risk of      Data mining of\nentries                 possible                       & Finance            consolidation                       2.\t Tested by IA       override     journal entry\n                                                                        2.\t Established, systematic access                         2.\t N/A          population by\n                                                                                                                3.\t Tested by                       IA for:\n                                                                            controls to the general ledger          management     3.\t N/A\n                                                                        3.\t Standard monthly and quarterly                                          \xe2\x80\xa2\t Unusual\n                                                                            journal entry log maintained.                                              Debit/Credit\n                                                                            Review process in place                                                    combinations\n                                                                            for standard entries, and                                               \xe2\x80\xa2\t Late entries\n                                                                            nonstandard entries subject to                                             to accounts\n                                                                            two levels of review                                                       subject to\n                                                                                                                                                       estimation\n\nRoundtrip               Remote         Insignificant   N/A              N/A                                     N/A                N/A              N/A\ntransactions\nManipulation            Remote         Insignificant   N/A              N/A                                     N/A                N/A              N/A\nof bill and hold\narrangements\n\n\n\n\n                                                                                                                                                    DODIG-2014-094 \xe2\x94\x82 111\n\x0c  Appendixes\n\n\n                                                                                                                              Controls\n     Identified Fraud                                        People and/or                                                 Effectiveness                           Fraud Risk\n    Risks and Schemes         Likelihood    Significance      Department          Existing Anti-fraud Controls             Assessment           Residual Risks     Response\n            (1)                   (2)            (3)              (4)                          (5)                               (6)                 (7)               (8)\n   Early delivery           Reasonably     Significant       Sales and       Systematic matching of sales order to     Tested by                Adequately       N/A\n   of product               possible                         shipping        shipping documentation; exception         management               mitigated by\n                                                                             reports generated                                                  control\n   Partial shipments        Reasonably     Significant       Sales and       1.\t Systematic shipping documents         Tested by                Adequately       N/A\n                            possible                         Shipping            manually checked against every        management               mitigated by\n                                                                                 shipment.                                                      control\n                                                                             2.\t Systematic matching of sales\n                                                                                 order to shipping documentation;\n                                                                                 exception reports generated.\n                                                                             3.\t Customer approval of partial\n                                                                                 shipment required prior to\n                                                                                 revenue recognition\n   Additional                                                                Systematic shipping documents\n   revenue risks                                                             manually checked against every\n                                                                             shipment\n\n\n\n         (1)\t Identified Fraud Risks and Schemes: This column should include a full list of the potential fraud risks and schemes that\n               may face the organization. This list will be different for different organizations and should be based on industry research,\n               interviews     of   employees    and      other   stakeholders,   brainstorming       sessions,       and    activity       on    the   whistleblower     hotline.\n\n         (2)\t Likelihood of Occurrence: To design an efficient fraud risk management program, it is important to assess the likelihood of the\n               identified fraud risks so that the organization establishes proper anti-fraud controls for the risks that are deemed most likely. For\n               purposes of the assessment, it should be adequate to evaluate the likelihood of risks as remote, reasonably possible, and probable.\n\n         (3)\t Significance to the Organization: Quantitative and qualitative factors should be considered when assessing the significance of\n               fraud risks to an organization. For example, certain fraud risks may only pose an immaterial direct financial risk to the organization,\n               but could greatly impact its reputation, and therefore, would be deemed to be a more significant risk to the organization. For\n               purposes of the assessment, it should be adequate to evaluate the significance of risks as immaterial, significant, and material.\n\n\n\n\n112 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                         Appendixes\n\n\n(4)\t People and/or Department Subject to the Risk: As fraud risks are\n     identified and assessed, it is important to evaluate which people inside\n     and outside the organization are subject to the risk. This knowledge will\n     assist the organization in tailoring its fraud risk response, including\n     establishing appropriate segregation of duties, proper review and\n     approval chains of authority, and proactive fraud auditing procedures.\n\n(5)\t Existing Anti-fraud Internal Controls: Map pre-existing controls to the\n     relevant fraud risks identified. This activity occurs after fraud risks are\n     identified and assessed for likelihood and significance. By progressing in\n     this order, this framework intends for the organization to assess\n     identified fraud risks on an inherent basis, without consideration of\n     internal controls.\n\n(6)\t Assessment of Internal Controls Effectiveness: The organization\n     should have a process in place to evaluate whether the identified controls\n     are operating effectively and mitigating fraud risks. Companies subject\n     to the provisions of The U.S. Sarbanes-Oxley Act of 2002 Section 404,\n     will have a process such as this in place. Organizations not subject to\n     Sarbanes-Oxley should consider what review and monitoring procedures\n     would be appropriate to implement to gain assurance that their internal\n     control structure is operating as intended.\n\n(7)\t Residual Risks: After consideration of the internal control structure,\n     it may be determined that certain fraud risks may not be mitigated\n     adequately due to several factors, including properly designed controls\n     are not in place to address certain fraud risks or controls identified\n     are not operating effectively. These residual risks should be evaluated by\n     the organization during the development of the fraud risk response.\n\n(8)\t Fraud Risk Response: Residual risks should be evaluated by the\n     organization and fraud risk responses should be designed to address\n     remaining    risk.   The   fraud   risk   response   could   be   one.   or   a\n     combination of implementing additional controls, designing proactive\n     fraud auditing techniques, and/or reducing the risk by exiting the activity.\n\n\n\n\n                                                                                   DODIG-2014-094 \xe2\x94\x82 113\n\x0c  Appendixes\n\n\n  Appendix F\n  Example Smart Insights Group, LLC, Internal Control Evaluation Questionnaire\n        Question Title                         Description                             Points        Score                      Comments/Notes\n   Oversight             To what extent has the overall agency established a        0-20        20           DoD Instruction, XYZ, directed all business units to\n                         process and resources responsible for the identification                            establish safeguards to prevent, detect, and report\n                         and oversight of fraud risks?                                                       fraud at all Medical Treatment Facilities.\n   Ownership             To what extent has the agency created ownership            0-20        20           All senior officers were required to develop and\n                         of fraud risks by assigning a member of its senior                                  maintain effective internal controls across their areas\n                         management team with responsibility for:                                            of responsibility. Each senior officer was required to\n                         1.\t Managing fraud risks within the organization; and                               document their anti-fraud efforts to include:\n                         2.\t Communicating to agency personnel about                                         \xe2\x80\xa2\t Designation of an Anti-Fraud Program Manager.\n                              the topic of fraud and their responsibilities for                              \xe2\x80\xa2\t A high level statement outlining the responsibility\n                              reporting incidents?                                                              of all personnel to monitor against fraud and\n                                                                                                                prevent fraud.\n                                                                                                             \xe2\x80\xa2\t The process for monitoring, reporting, and\n                                                                                                                investigating fraud, with clearly defined roles and\n                                                                                                                responsibilities.\n                                                                                                             \xe2\x80\xa2\t Appropriate anti-fraud training.\n                                                                                                             \xe2\x80\xa2\t Process to promote fraud awareness among staff and\n                                                                                                                outside parties (including vendors, patients, etc.).\n                                                                                                             \xe2\x80\xa2\t Identification of available remedial actions\n                                                                                                                when fraud occurs (e.g., criminal, civil, and\n                                                                                                                administrative penalties.)\n                                                                                                             \xe2\x80\xa2\t Regular and active involvement of senior leadership\n                                                                                                                on fraud issues and corrective actions.\n\n\n\n\n114 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                                                                           Appendixes\n\n\n    Question Title                             Description                             Points        Score                       Comments/Notes\nAssessment               To what extent has the agency implemented an ongoing       0-20        20           Periodically, but at a minimum, annually, each business\n                         process to identify and evaluate changing fraud risks?                              unit must assess and document fraud risks. The\n                                                                                                             assessment must address the following topics:\n                                                                                                             \xe2\x80\xa2\t Overall incentives, opportunities, and pressures to\n                                                                                                                commit fraud.\n                                                                                                             \xe2\x80\xa2\t Programs where ineffective or nonexistent internal\n                                                                                                                controls create opportunities for fraud.\n                                                                                                             \xe2\x80\xa2\t Likelihood and impact of fraud within\n                                                                                                                those programs.\n                                                                                                             \xe2\x80\xa2\t A final report, summarizing the assessment results\n                                                                                                                and planned corrective actions, must be sent to\n                                                                                                                senior leadership prior to December 31.\n                                                                                                             Information for the assessment can come from:\n                                                                                                             \xe2\x80\xa2\t OIG Inspections and Hotline reports.\n                                                                                                             \xe2\x80\xa2\t Managers\xe2\x80\x99 Internal Control Program and other\n                                                                                                                internal reviews.\n                                                                                                             \xe2\x80\xa2\t External audits, reports, and studies.\n                                                                                                             \xe2\x80\xa2\t Management observations and judgment.\nRisk Management          To what extent has the agency implemented a                0-30        30           DoD Instruction, XYZ, established the organization\xe2\x80\x99s\nPolicy                   fraud policy?                                                                       fraud policy. This policy outlined the responsibilities of\n                                                                                                             employees regarding the organization\xe2\x80\x99s fraud program\n                         The policy should identify the individual/team, within                              to include military and civilian personnel. Anti-Fraud\n                         the agency, that will be responsible for managing fraud                             Program Manager, General Counsel, Comptrollers,\n                         risks, and the associated activities to be undertaken to                            Contracting Officers.\n                         manage the fraud risks.\nAnti-Fraud Controls      To what extent has the agency implemented process          0-20        10           The organization identified preventive and detective\n                         level controls and/or activities that are designed to                               controls as part of the annual fraud risk assessment.\n                         prevent, deter and/or detect the fraud risks identified                             However, the organization would benefit by\n                         through the agencies risk assessment?                                               implementing additional detective controls.\nProcess Re-engineering   To what extent has the agency implemented measures         0-20        0            The organization did not consider process\n                         to eliminate or reduce, through process re-engineering,                             re-engineering as an approach to address fraud risks.\n                         the fraud risks identified through the agencies risk\n                         assessment?\n\n\n\n\n                                                                                                                                                      DODIG-2014-094 \xe2\x94\x82 115\n\x0c  Appendixes\n\n\n        Question Title                          Description                              Points        Score                        Comments/Notes\n   Workplace Culture     Preventing major frauds requires a strong emphasis on creating a workplace environment that promotes ethical behavior, deters wrongdoing, and\n                         encourages all employees to communicate any known or suspected wrongdoing to the appropriate person.\n                         To what extent has the organization implemented a process to promote ethical behavior, deter wrongdoing and facilitate two-way communication\n                         on ethical issues?\n                         Is there an identified Senior Member of the                  0-10        5               Yes, the organization is required to have an Anti-Fraud\n                         management team that has been singularly tasked with                                     Program Manager. However, because of the size of the\n                         the responsibility for ensuring the agency\xe2\x80\x99s processes                                   program and increased fraud risks, the duties should be\n                         promote ethical behavior, deter wrongdoing and                                           shared with another employee.\n                         report matters of misconduct in a timely manner (i.e., a\n                         designated Ethics Officer)?\n                         A code of conduct for employees, which gives clear           0-10        10              The organization does have a code of conduct and also\n                         guidance as to what behavior is permitted/prohibited.                                    requires annual ethics training. Information about\n                                                                                                                  communicating potential wrongdoing is documented in\n                         The code of conduct should identify how employees:                                       DoD Instruction, XYZ.\n                         1.\t Seek additional advice when faced with uncertain\n                             ethical dilemma;\n                         2.\t Communicate concerns about known or\n                             potential wrongdoing.\n                         Regular fraud training is available for all new hires as     0-10        3               Annual fraud training is required for all employees,\n                         well as all on-board FTEs and contractors.                                               to including contracting officers. However, current\n                                                                                                                  training has not been updated within the past five years\n                                                                                                                  and contractors are not required to participate in\n                                                                                                                  the training.\n                         Multiple communication methods are available to              0-10        4               The organization maintained fully staffed and\n                         employees, contractors, and vendors to seek advice                                       experienced Hotline personnel at various contiguous\n                         prior to making difficult ethical decisions and to express                               United States locations.\n                         concern about known potential wrongdoing.\n                                                                                                                  Anonymous reporting is allowed.\n                         \xe2\x80\xa2\t Agency communication methods should\n                            include an ethics/compliance hotline or e-mail                                        Awareness of Whistleblower protections could be\n                            address that is actively monitored by ethics or                                       improved when the annual fraud training is updated.\n                            compliance personnel.\n                         \xe2\x80\xa2\t Provision should be made to enable communications\n                            to be made anonymously.\n                         \xe2\x80\xa2\t Emphasis should also be placed upon the\n                            Whistleblower provisions, which are intended to\n                            protect individuals from retribution.\n\n\n\n\n116 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                                                                        Appendixes\n\n\n     Question Title                             Description                          Points        Score                      Comments/Notes\n Workplace Culture       Monitoring of compliance with the code of conduct        0-10        4            The organization has yet to implement a process\n (cont\xe2\x80\x99d)                and participation in required training (i.e. requiring                            that ensures that all employees completed annual\n                         an annual employee attestation of understanding,                                  fraud training. The current process requires a self-\n                         compliance and completion of training and auditing                                certification without documentation (i.e. Certificate\n                         of such attestations to confirm their completeness                                of Training, etc.)\n                         and accuracy\n Proactive Detection     To what extent has the agency established a process      0-20        10           The organization performs manual fraud detection\n Methods                 to proactively detect incidents of potential fraud                                tests quarterly. However, there are no automated\n                         \xe2\x80\xa2\t Develop and perform fraud detection tests?                                     transaction flags to detect suspicious transactions or\n                                                                                                           activities.\n                         \xe2\x80\xa2\t Implement embedded transaction \xe2\x80\x98flags\xe2\x80\x99 (manual\n                            or automated) to target suspicious transactions\n                            or activity.\n\n\n\nExcerpts from Department of the Navy Bureau of Medicine and Surgery Instruction 5370.4, April 1, 2010\nFrom: Chief, Bureau of Medicine and Surgery\n\nSubject: NAVY MEDICINE ANTI-FRAUD PROGRAM\n\n      1.\t   Purpose. To direct Navy Medicine commands to establish safeguards to prevent, detect, and report fraud. This instruction documents\n            existing anti-fraud efforts and initiates new and enhanced efforts to implement fraud programs at Navy Medicine Medical Treatment Facilities.\n\n      2.\t   Applicability. Applies to all Navy Medicine commands.\n\n      3.\t   Background.\n\n            a.\t Fraud is any willful means of taking or attempting to take unfair advantage of the government, including but not limited to:\n\n                (1)\t The offer, payment, or acceptance of bribes or gratuities.\n\n                (2)\t Making of false statements, submission of false claims, or use of false weights or measures.\n\n                (3)\t Evasion or corruption of inspectors and other officials.\n\n\n\n\n                                                                                                                                                   DODIG-2014-094 \xe2\x94\x82 117\n\x0cAppendixes\n\n\n                                 (4)\t Deceit by suppression of the truth or misrepresentation of a\n                                     material fact.\n\n                                 (5)\t Adulteration or substitution of material.\n\n                                 (6)\t Falsification of records or accounts.\n\n                                 (7)\t Arrangements for secret profits, kickbacks, or commissions.\n\n                                 (8)\t Cases of conflict of interest, criminal irregularities, and\n                                     unauthorized disclosure of official information connected\n                                     with acquisition and disposal matters.\n\n                                 (9)\t Conspiracy to use any of these devices.\n\n                             b.\t Navy Medicine is susceptible to fraud committed by government\n                                personnel (civilian and military), contractors, vendors, patients, or other\n                                outside parties.\n\n                       4.\t   Policy. Fraud directly threatens our core mission of providing\n                             high-quality, economical health care to eligible beneficiaries. As such,\n                             all personnel within Navy Medicine must maintain constant vigilance to\n                             identify and report suspected fraud. Commanders, commanding officers,\n                             and officers in charge must establish a tone across their area of\n                             responsibility that fraud, regardless of magnitude, will not be tolerated.\n                             Accordingly, each command in Navy Medicine must develop an\n                             anti-fraud program that includes the following elements:\n\n                             a. \t Fraud Risk Management Program. Each command must formally\n                                document its anti-fraud assets and efforts, including\n\n                                 (1)\t A high-level command statement outlining the responsibility of\n                                     all personnel to monitor against and prevent fraud (e.g., code of\n                                     conduct, command policy, commander\xe2\x80\x99s note).\n\n                                 (2)\t The process for monitoring, reporting, and investigating fraud,\n                                     with clearly defined roles and responsibilities.\n\n                                 (3)\t An anti-fraud program manager, appointed by the commander.\n\n\n\n\n118 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                             Appendixes\n\n\n   (4)\t Appropriate anti-fraud training.\n\n   (5)\t Processes to promote fraud awareness among staff and outside\n       parties (including vendors, patients, etc.).\n\n   (6)\t Identification of available remedial actions when fraud occurs\n       (e.g., criminal, civil and administrative penalties).\n\n   (7)\t Regular and active involvement of command senior leadership,\n       including the Executive Steering Committee on fraud issues and\n       corrective actions.\n\nb.\t Periodic Fraud Risk Assessment. A command\xe2\x80\x99s mission, size,\n   complexity, organizational structure, and resources help determine\n   its vulnerability to fraud.     These factors differ at each command\n   and vary over time. Periodically, but at least annually, each Navy\n   Medicine command must assess and document its own fraud risk.\n   Assessing fraud risk allows commands to focus internal control\n   efforts where the likelihood and/or impact of fraud is greatest. Since\n   prevention of fraud is one of the key objectives of internal controls,\n   the fraud risk assessment should be a subset of a comprehensive\n   internal control risk assessment.\n\n   (1)\t Information for this assessment can come from:\n\n       (a)\t OIG inspections and Hotline reports.\n\n       (b)\t Managers\xe2\x80\x99 Internal Control Program assessments.\n\n       (c)\t Command Evaluation Program and other internal reviews.\n\n       (d)\t External audits, reports, and studies.\n\n       (e)\t Commanders and/or management observations and judgment.\n\n\n\n\n                                                                       DODIG-2014-094 \xe2\x94\x82 119\n\x0cAppendixes\n\n\n                           (2)\t The assessment should identify the:\n\n                               (a)\t Overall   incentives,    opportunities,      and   pressures   to\n                                    commit fraud.\n\n                               (b)\t Programs where ineffective or nonexistent internal controls\n                                    create opportunities for fraud.\n\n                               (c)\t Likelihood and impact of fraud within those programs.\n\n                       c.\t Prevention Techniques. An effective system of internal controls is\n                          the best means to prevent fraud. Although fraud of any magnitude\n                          negatively impacts mission accomplishment, each command must\n                          determine an acceptable level of risk and develop internal controls\n                          accordingly. Preventative controls must be focused on areas where\n                          the likelihood and/or impact of fraud are the highest. Preventative\n                          controls can include policies, procedures, training, and communication.\n\n                       d.\t Detection Techniques. For certain types of fraud, it is more effective\n                          to detect and address fraud after it occurs rather than trying to prevent\n                          it before it occurs. Detective controls are most effective for areas\n                          where the likelihood of fraud is low but potential impact is severe.\n                          They can also help assess the effectiveness of preventative controls.\n                          Detective controls are often clandestine in nature, to ensure they are\n                          not easily circumvented.\n\n                           (1)\t Examples of detective controls include:\n\n                               (a)\t Unannounced inventory inspections.\n\n                               (b)\t Reconciling     accounting    transactions    with    supporting\n                                    documentation at random intervals.\n\n                               (c)\t Ad hoc audits and analyses.\n\n                               (d)\t Data mining.\n\n                               (e)\t Automated system flags (e.g., disbursements over a\n                                    certain dollar amount, excessive number of purchase card\n                                    transactions to a single vendor).\n\n\n\n\n120 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                      Appendixes\n\n\n          (2)\t Potential fraud may also be detected during the course of\n              internal reviews (including the command evaluation program) and\n              external audits (e.g., OIG inspections, Naval Audit Service audits).\n\n      e. \t Reporting, Investigative, and Corrective Action Process\n\n          (1)\t Navy Medicine personnel will report all suspected fraud for further\n              analysis and investigation. If there is any doubt on whether or\n              not something constitutes fraud, the incident should be reported.\n\n5.\t   Responsibilities\n\n      a. \t Commanders will:\n\n          (1)\t Formally establish and document a culture across their area\n              of responsibility that fosters constant vigilance against fraud,\n              protects those who report fraud, and demands appropriate\n              corrective action when fraud occurs.\n\n          (2) \t Implement a system of effective internal controls to detect and\n              prevent fraud across the programs with the highest level of risk.\n\n          (3) \t Ensure full cooperation with all fraud Investigations.\n\n          (4) \t Develop a comprehensive remedies plan, with appropriate\n              corrective and disciplinary action, for all substantive fraud cases\n              within their area of responsibility.\n\n          (5)\t Review substantive cases of fraud for systemic internal control\n              deficiencies and report, as appropriate, in the annual Managers\xe2\x80\x99\n              Internal Control Program, Statement of Assurance.\n\n          (6)\t Appoint an Anti-Fraud Program Manager, from within the\n              command\xe2\x80\x99s OIG staff, to advise the command on anti-fraud matters.\n\n          (7)\t Ensure personnel complete mandatory annual anti-fraud training.\n\n          (8)\t Ensure full compliance with this instruction within their area\n              of responsibility.\n\n\n\n\n                                                                                DODIG-2014-094 \xe2\x94\x82 121\n\x0cAppendixes\n\n\n                       b. \t All Navy Medicine Personnel (military and civilian) will:\n\n                           (1)\t Exercise due diligence in monitoring for fraud.\n\n                           (2)\t Report suspected fraud per this instruction.\n\n                           (3)\t Complete mandatory annual anti-fraud training.\n\n                       c.\t The Anti-Fraud Program Manager will:\n\n                           (1)\t Serve as senior advisor to management on fraud issues.\n\n                           (2)\t Develop and implement initiatives to promote awareness across\n                               the AOR of means to detect, prevent, and report fraud.\n\n                           (3)\t Provide periodic updates to the Executive Steering Committee\n                               (or equivalent) on fraud issues within the area of responsibility.\n\n                           (4)\t Provide anti-fraud course content requirements for inclusion in\n                               the contracting office representative training course.\n\n                           (5)\t Develop anti-fraud training for all Navy Medicine personnel.\n                               Anti-fraud training should include, at a minimum:\n\n                               (a)\t Legal definition of fraud.\n\n                               (b)\t Areas of greatest fraud vulnerability within Navy Medicine.\n\n                               (c)\t Responsibility of all personnel to monitor for and report\n                                    suspected fraud.\n\n                               (d)\t Signs of fraud.\n\n                               (e)\t Ways to detect and prevent fraud.\n\n                               (f)\t Ways to report suspected fraud.\n\n                               (g)\t Potential criminal, civil, and administrative consequences\n                                    of fraud.\n\n\n\n\n122 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                         Appendixes\n\n\nAppendix G\nExample Grant Thornton Client Report and Heat Map\nConfidential\n\nDate\n\nClient Name\n\nRe: Fraud Risk Assessment Preliminary Report\n\nDear (Auditee Name),\n\nAt your request, we have performed certain procedures under your direction to\nassess fraud risk. This report concludes Phase I of our work as described in our\nengagement letter dated XX. On (date) we visited the organization to interview select\npersonnel and gather documentation. We describe below the procedures performed,\nour findings, and recommendations for additional steps.\n\nProcedures Performed\nThis engagement was designed to include the following four distinct phases:\n\n       I.\t     Overall risk assessment/project organization\n\n       II.\t    Assess existing compliance systems, practices and procedures\n\n       III.\t   Develop findings and recommendations\n\n       IV.\t    Prepare report with recommendations\n\nIn this phase, Phase I, we performed an overall assessment of your current anti-fraud\nand governance policies and procedures. The objective of this phase was to obtain\nenough of an understanding of the control structure and potential risks at the\norganization to allow us to finalize the scope for the remainder of the project.\n\nThe primary procedures performed during the risk assessment included:\n\n        1.\t    Review of the current code of conduct and anti-fraud policies\n               and procedures.\n\n\n\n\n                                                                                   DODIG-2014-094 \xe2\x94\x82 123\n\x0cAppendixes\n\n\n                       2.\t   Review of relevant background information including prior internal\n                             audit reports, employee handbooks, and various policies and procedures.\n\n                       3.\t   Interviews with select personnel, including:\n\n                             i.\t    Controller\n\n                             ii.\t   Business Administrator\n\n                             iii.\t Human Resources Manager\n\n                             iv.\t   Information Technology Manager\n\n                       4.\t   Identified high-risk areas.\n\n                 Findings and Observations\n                 Based on the procedures listed above, as well as discussions with personnel, we\n                 identified the following observations and recommendations:\n\n                       1.\t   Department X currently does not have formal anti-fraud policies and\n                             procedures. The organization should document and implement fraud\n                             specific policies and procedures that describe fraudulent conduct,\n                             punishment for engaging in fraudulent conduct, and procedures to report\n                             the fraudulent conduct. These policies should be disseminated to all\n                             employees through e-mail communications, training programs, or other\n                             intercompany communication methods.\n\n                       2.\t   Organization policies state that complaints can be made anonymously,\n                             but it does not provide instructions on how to make an anonymous\n                             complaint. A \xe2\x80\x9chotline\xe2\x80\x9d does not exist. Clarifying the policy and\n                             implementing an anonymous whistleblower hotline would provide\n                             a channel for employees to anonymously voice concerns regarding\n                             irregularities in the company\xe2\x80\x99s accounting methods, internal controls, or\n                             auditing matters, without fear of repercussions from individuals within\n                             the organization.\n\n                       3.\t   Controls over the set up and maintenance of vendors are lacking. Vendors\n                             are added on an ad hoc basis without conducting background checks,\n                             or vendor due diligence. Implementing a vendor approval process,\n                             including using background checks and vendor due diligence to screen\n                             vendors will reduce the risk that unauthorized vendors are added to\n\n\n\n\n124 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                             Appendixes\n\n\n      the system. In addition, to prevent the appearance of favoritism or\n      conflict of interest, vendors should be periodically rotated, where it\n      makes business sense.\n\n4.\t   Department X should establish a standard vendor contract that\n      includes a right to audit clause. Large vendors that transact frequently\n      with the Department X should be required to execute the standard\n      vendor contract.\n\n5.\t   Department X does not monitor external employment of its employees.\n      Based on our discussions, we learned that some employees may have\n      additional external employment. To preclude potential conflicts of\n      interest, Department X should require employees to complete a\n      disclosure document that includes external employment and business\n      ownership.    This document should be reviewed to identify potential\n      conflicts of interest and the information should be kept in a log by\n      Human Resources.\n\n6.\t   During the course of our interviews, we were informed that several\n      managers and officers were not completely familiar with the contents\n      of   the   employee    handbook.     To    effectively   manage     and     monitor\n      employee performance, managers and officers should be aware of the\n      standards that apply to employees.\n\n7.\t   The organization does not have a formal training program. It is\n      recommended that the organization implement formal training for\n      all employees. Areas that should be addressed include: new hire\n      training, periodic training for managers and officers on the employee\n      handbook, and specific training covering ethics and anti-fraud policies\n      of the entity. Employees should be required to sign a document\n      acknowledging      participation   in     such   training.   This   helps    create\n      awareness and responsibility throughout the organization.\n\n8.\t   Employees are not required to take vacations. It would be advisable to\n      implement a mechanism to monitor vacation balances of key employees\n      and encourage employees who have accrued maximum allowed vacation\n      days to take vacations. Many internal frauds require manual intervention,\n      and are, therefore, discovered when the perpetrator is absent from their\n      duties for a period of time. The enforcement of mandatory vacations\n      can reduce the risk that frauds are not detected.\n\n\n\n\n                                                                                       DODIG-2014-094 \xe2\x94\x82 125\n\x0cAppendixes\n\n\n                       9.\t   During the course of our interviews, we inquired about previous\n                             instances of fraud. Three of the interviewees stated that they could recall\n                             only one instance of fraud. Each cited an incident that was different from\n                             that cited by the other interviewees. As such, we were made aware of\n                             three separate incidents of fraud that had occurred over the last\n                             three to five years. We also learned that a consolidated fraud incident\n                             list is not maintained. Maintaining a list of fraud incidents can serve as\n                             an educational tool to increase awareness and improve controls within\n                             the organization.\n\n                       10.\t Department X receives checks and cash by mail. Mail is sorted and\n                             employees believed by mail room personnel to contain checks and/or\n                             cash are delivered to the finance department. This mail sorting function\n                             is not supervised. \xe2\x80\x85A surveillance camera to monitor activity in the mailroom\n                             can reduce the risk of theft of funds received by mail. Rotating personnel\n                             performing the mail sorting function could limit the risk of checks or\n                             cash being intercepted prior to delivery to the finance department.\n\n                       11.\t We were informed that employees perceived differences in perquisites\n                             between officers and non-officer employees. For example, an officer may\n                             be permitted to bring a child into the office during the work day, while\n                             this is prohibited for non-officer employees. The differences perceived\n                             by employees could negatively impact employee morale.\n\n                       12.\t The controller is the lone approver for user rights within the accounting\n                             software. This would potentially allow the controller to request a change\n                             to his rights to circumvent current controls within the finance function.\n                             At a minimum, the Business Administrator should review and approve\n                             requests for changes to the controller\xe2\x80\x99s access rights. This would allow\n                             the controller to continue to review and approve changes to the accounting\n                             staff\xe2\x80\x99s rights.\n\n                       13.\t Computers do not automatically lock users out after a period of inactivity\n                             and screensavers are not password protected. This would allow a passerby\n                             to access an individual\xe2\x80\x99s computer and potentially access sensitive\n                             information or circumvent internal controls within the finance function.\n\n                       14.\t Currently, the system allows multiple simultaneous log-ins using the same\n                             user identification and password. The organization should implement\n                             a procedure that would prohibit use of a user identification to log in\n                             simultaneously on multiple computers.\n\n\n\n126 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                         Appendixes\n\n\n     15.\t Computers are not currently encrypted. It was mentioned during our\n           interviews, that the organization would be implementing encryption on\n           the computers within Finance, Human Resources, and Information\n           Technology Management. However, as it currently stands, the lack\n           of encryption potentially exposes sensitive organizational data if the\n           computers were stolen.\n\n     16.\t Although the capability exists to monitor failed access attempts, the\n           Information Technology Department does not currently monitor the log.\n           Periodic monitoring would help to detect hackers attempting to gain access\n           to sensitive data.\n\nProposed Phase II Tasks\nAs indicated in our proposal, we have used results and findings of the Phase I\nassessment as the basis to design Phase II of the project. We have identified\nareas where we believe it would be beneficial to conduct additional procedures.\nWe propose performing the following more detailed procedures:\n\n     1.\t   Vendor and payment procedures. Grant Thornton can perform an in-depth\n           analysis of vendors and payments including:\n\n           a.\t Analysis of vendor maintenance procedures.\n\n           b.\t Vendor master file and employee master file matching,\n\n           c.\t Vendor master file analysis (same/similar addresses, PO Boxes,\n                 no addresses).\n\n           d.\t Vendor usage by department.\n\n           e.\t Vendor usage by type of expense.\n\n           f.\t Above average payments to a vendor.\n\n           g.\t Above average voided vouchers per vendor.\n\n           h.\t Duplicate payment testing.\n\n           i.\t   Accounts payable credits and voided voucher matching.\n\n           j.\t   Vendor selection approval and bid review process.\n\n\n\n\n                                                                                   DODIG-2014-094 \xe2\x94\x82 127\n\x0cAppendixes\n\n\n                       2.\t   Cash and check receipting procedures. Grant Thornton can perform a\n                             thorough walk-through of the cash and check receipting procedures to\n                             determine proper controls surrounding the process from the moment\n                             a check/cash enters the facility to its deposit in the bank and recording\n                             of the receipt in the accounting books. This review will also include\n                             testing controls around petty cash, wire transfers and payroll.\n\n                       3.\t   Vacation activity. Grant Thornton can conduct a historical review of\n                             vacation activity of key employees to determine if any employees have\n                             not taken vacation days.\n\n                       4.\t   Policies and procedures. Grant Thornton can perform tests in certain\n                             areas to ascertain whether practice conforms to written policies and\n                             procedures. Examples of areas we could examine include:\n\n                             a.\t Investment monitoring \xe2\x80\x93 perform a basic review of the investment\n                                policy to verify management of investment accounts conform to\n                                stated investment policy. We understand the last in-depth external\n                                analysis of investment policy compliance was performed in 2007.\n\n                             b.\t Hiring/termination of employees \xe2\x80\x93 verify that Human Resources\n                                conducts background checks prior to making an offer of employment\n                                to new hires. Verify that Human Resources follows the steps outlined\n                                in the terminations/resignations policies and procedures.\n\n                             c.\t Information Technology \xe2\x80\x93 verify compliance with policies and\n                                procedures providing access to key systems and programs by\n                                testing selected authorization documentation. Key systems and\n                                programs would include: (Insert Names).\n\n                             d.\t Finance and accounting \xe2\x80\x93 verify that proper invoice approval is\n                                obtained from department heads prior to payment.\n\n\n\n\n128 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                        Appendixes\n\n\nRestrictions of this Report\nThis preliminary report is prepared solely for the internal use of the organization.\nOur services were provided in accordance with the statement of standards for\nconsulting services promulgated by the AICPA and, accordingly, did not constitute\na rendering by Grant Thornton LLP or its partners or staff of any legal advice,\nnor do they include the compilation, review, or audit of financial statements.\nGrant\xc2\xa0 Thornton makes no representations regarding questions of legal sufficiency.\nWe performed the procedures within the agreed upon scope. Had we performed\nother procedures, we may have identified other information that would have been\nincluded in this report. If additional information that may change our findings is\nfound, we reserve the right to supplement this report accordingly.\n\nWe appreciate the opportunity to serve you in this matter. If we could assist you\nby explaining our work in more detail, please do not hesitate to contact us.\n\nSincerely,\n\nName/Title\n\n\n\n\n                                                                                  DODIG-2014-094 \xe2\x94\x82 129\n\x0c                                                                                                                                                                           [Insert    [Insert    [Insert    [Insert    [Insert\n                                                                                                                                                                          Relevant   Relevant   Relevant   Relevant   Relevant\n\n\n\n\n                                                                                                                                                                                                                                                 Unit/\n                                                                                                                                                                                                                                                Region\n                                                                                                                                                                                                                                                Entity/\n                                                                                                                                                                           Entity]    Entity]    Entity]    Entity]    Entity]\n\n                                                                                                                                                                                                                                    "Local Accounting System\n                                                                                                                                                                                                                                                                                                                                                Appendixes\n\n\n\n\n                                                                                                                                                                            Yes\n                                                                                                                                                                                       Yes\n                                                                                                                                                                                                  Yes\n                                                                                                                                                                                                             Yes\n                                                                                                                                                                                                                        Yes\n                                                                                                                                                                                                                                        Fully Integrated"\n\n\n\n\n130 \xe2\x94\x82 DODIG-2014-094\n                                                                                                                                                                                                                                       Accounting Function\n\n\n\n\n                                                                                                                                                                            Yes\n                                                                                                                                                                                       Yes\n                                                                                                                                                                                                  Yes\n                                                                                                                                                                                                             Yes\n                                                                                                                                                                                                                        Yes\n                                                                                                                                                                                                                                   Co-Located within geography\n\n                                                                                                                                                                                                                                   Revenue and Balance Sheet\n\n\n\n\n                                                                                                                                                                            Yes\n                                                                                                                                                                                       Yes\n                                                                                                                                                                                                  Yes\n                                                                                                                                                                                                             Yes\n                                                                                                                                                                                                                        Yes\n                                                                                                                                                                                                                                    Balances Typically Above\n                                                                                                                                                                                                                                          Materiality\n\n                                                                                                                                                                                                                                     Local Operations Solely a\n\n\n\n\n                                                                                                                                                                            No\n                                                                                                                                                                                       No\n                                                                                                                                                                                                  No\n                                                                                                                                                                                                             No\n                                                                                                                                                                                                                        No\n                                                                                                                                                                                                                                        Support Function\n                                                                                                                                                                                                                                                                    Structure Risk Factors\n\n\n\n\n                                                                                                                                                                                                                                 % of Revenue Generated by Third\n\n\n\n\n                                                                                                                                                                            0%\n                                                                                                                                                                                       2%\n                                                                                                                                                                                                  4%\n                                                                                                                                                                                                             0%\n                                                                                                                                                                                                                        4%\n                                                                                                                                                                                                                                 Party Business Development in FY\n                                                                                                                                                                                                                                                                                                        TABLE G. Example Grant Thornton Client Heat Map\n\n\n\n\n                                                                                                                                                                                                                                       2011 \xe2\x80\x93 Three Quarters\n\n\n\n\n                                                                                                                                                                            3\n                                                                                                                                                                                       3\n                                                                                                                                                                                                  3\n                                                                                                                                                                                                             3\n                                                                                                                                                                                                                        3\n                                                                                                                                                                                                                                         Structure Score\n\n\n\n\n                                                                                                                                                                            No\n                                                                                                                                                                                                  No\n                                                                                                                                                                                                             No\n\n\n\n\n                                                                                                                                                                                       Yes\n                                                                                                                                                                                                                        Yes\n\n\n\n                                                                                                                                                                                                                                   Prior Investigation Conducted\n\n\n                                                                                                                                                                                                                                      Number of Ethics Line\n\n\n\n\n                                                                                                                                                                            0\n                                                                                                                                                                                       0\n                                                                                                                                                                                                  0\n                                                                                                                                                                                                             0\n                                                                                                                                                                                                                        3\n\n\n\n\n                                                                                                                                                                                                                                         Reports for FY\n\n\n                                                                                                                                                                                                                                    Years of Service \xe2\x80\x93 Finance\n                                                                                                                                                                                                  3\n\n\n\n\n                                                                                                                                                                            1.42\n                                                                                                                                                                                       6.25\n                                                                                                                                                                                                             9.58\n                                                                                                                                                                                                                        2.33\n\n\n\n\n                                                                                                                                                                                                                                             Manager\n\n\n                                                                                                                                                                                                                                    Years of Service \xe2\x80\x93 Country\n                                                                                                                                                                                                             0\n\n\n\n\n                                                                                                                                                                                                  1.5\n\n\n\n\n                                                                                                                                                                            1.25\n                                                                                                                                                                                       1.42\n                                                                                                                                                                                                                        2.25\n\n\n\n\n                                                                                                                                                                                                                                             Manager\n                                                                                                                                                                                                                                                                    Alignment to Headquarters Factors\n\n\n\n\n                                                                                                                                                                            2\n                                                                                                                                                                                                             2\n\n\n\n\n                                                                                                                                                                                       0\n                                                                                                                                                                                                  2\n                                                                                                                                                                                                                        -2\n\n\n\n\n                                                                                                                                                                                                                                     Fraud & Corruption Score\n\n\n                                                                                                                                                                                                                                    Fiscal Year of Last External\n                                                                                                                                                                            2009\n                                                                                                                                                                                                             2011\n\n\n\n\n                                                                                                                                                                                       2011\n                                                                                                                                                                                                  2010\n                                                                                                                                                                                                                        2011\n\n\n\n\n                                                                                                                                                                                                                                             Audit Visit\n\n\n                                                                                                                                                                                                                                  Entity Below Scoping Threshold\n                                                                                                                                                                                                                        No\n\n\n\n\n                                                                                                                                                                            Yes\n                                                                                                                                                                                                             Yes\n\n\n\n\n                                                                                                                                                                                       Yes\n                                                                                                                                                                                                  Yes\n\n\n\n\n                                                                                                                                                                                                                                      for External Audit (20%)\n\n\n                                                                                                                                                                                                                                    Fiscal Year of Last Internal\n                       The following weights were used to develop the Heat Map\xe2\x80\x99s weights: Structure Risk Factors 33%, Alignment to Headquarters Factors 33%, Audit 33%.\n                                                                                                                                                                            2009\n                                                                                                                                                                                                             2011\n                                                                                                                                                                                                                        2011\n\n\n\n\n                                                                                                                                                                                       2011\n                                                                                                                                                                                                  2010\n                                                                                                                                                                                                                                                                    Audit\n\n\n\n\n                                                                                                                                                                                                                                             Audit Visit\n\n\n                                                                                                                                                                                                                                  Entity Below Scoping Threshold\n                                                                                                                                                                                                                        No\n\n\n\n\n                                                                                                                                                                            Yes\n                                                                                                                                                                                       Yes\n                                                                                                                                                                                                  Yes\n                                                                                                                                                                                                             Yes\n\n\n\n\n                                                                                                                                                                                                                                      for Internal Audit (10%)\n                                                                                                                                                                            0\n                                                                                                                                                                                       0\n                                                                                                                                                                                                  0\n                                                                                                                                                                                                             0\n                                                                                                                                                                                                                        4\n\n\n\n\n                                                                                                                                                                                                                                       Audit Structure Score\n                                                                                                                                                                            1.7\n                                                                                                                                                                                                             1.7\n                                                                                                                                                                                                                        1.7\n\n\n\n\n                                                                                                                                                                                       1.0\n                                                                                                                                                                                                  1.7\n                                                                                                                                                                                                                                                 Risk\n                                                                                                                                                                                                                                                Total\n\n                                                                                                                                                                                                                                                Score\n\x0c                                                                                       Appendixes\n\n\nAppendix H\nExample NAVSEA, Office of the Inspector General,\nContract Fraud Risk Assessment and Mitigation Branch,\nOrganization Fraud Risk Assessment Report\nRisk Area\nContract Fraud Risk Assessment\n\n\nPrepared by\nContract Fraud Risk Mitigation (C-FRAM) Team\n\n\nRisk Concern\nCommand\xe2\x80\x99s (CMD\xe2\x80\x99s) efforts to mitigate the risk of contract fraud, waste, abuse,\nand mismanagement.\n\n\nMethodology\nOur objective is to assess the CMD\xe2\x80\x99s tone from the top, internal controls, and\nongoing monitoring efforts related to mitigating the risk of contract fraud, waste,\nabuse, and mismanagement. At the CMD, the C-FRAM Team met with CMD\nContract Department leadership and discussed management\xe2\x80\x99s tone from the top\nregarding fraud, waste and abuse. The C-FRAM team also conducted a COR focus\ngroup and randomly selected 2, out of 13, CORs for further interviews. The team\ninterviewed these CORs and examined their COR files to assess the methods the\nCORs used to detect and deter fraud, waste, abuse, and mismanagement. The team\nalso conducted a focus group with the contracting officers. Our findings are\ndescribed in detail below.\n\n\nTone from the Top\nA positive control environment is the foundation for all other standards.\nIt provides discipline and structure as well as the climate which influences the\nquality of internal control. Several key factors affect the control environment.\nOne factor is the integrity and ethical values maintained and demonstrated\nby management and staff. Agency management plays a key role in providing\nleadership in this area, especially in setting and maintaining the organization\xe2\x80\x99s\n\n\n\n\n                                                                                 DODIG-2014-094 \xe2\x94\x82 131\n\x0cAppendixes\n\n\n                 ethical tone, providing guidance for proper behavior, removing temptations for\n                 unethical behavior, and providing discipline when appropriate.32\n\n                 During the COR focus groups and follow-up interviews the team inquired whether\n                 the CORs were familiar with the CMD\xe2\x80\x99s code of ethics. The CORs stated that they\n                 all      took     the     annual      ethics      training      in   the     Total     Workforce           Management\n                 System (TWMS). The CORs also stated that they received quality support from the\n                 command counsel.                The CORs also stated that the CMD\xe2\x80\x99s code of ethics was not\n                 discussed on a regular and recurring basis and most could not remember the last\n                 time the Commanding Officer expressed his opinion on the subject. The CORs also\n                 stated they discussed some questionable ethical situations with their department\n                 heads. The Commanding Officer acknowledged that in a command of roughly\n                 11,000 people, reaching the staff a challenge.\n\n                 NAVSEA Instruction (NAVSEAINST) 4200.17E, \xe2\x80\x9cContracting Officer\xe2\x80\x99s Representative,\xe2\x80\x9d\n                 May13, 2013, pg. 9, para b (2) states \xe2\x80\x9cThe COR Supervisor is required to provide\n                 oversight and monitor the performance of the CORs duties and responsibilities as\n                 well as seek performance feedback from the respective contracting officers. The\n                 COR supervisors shall ensure that adequate time and resources are available for\n                 performance of the COR responsibilities. The COR supervisor MUST establish a\n                 performance objective for the employee reflecting the COR\xe2\x80\x99s assigned duties. The COR\n                 Supervisor shall include a separate critical performance element, either on single\n                 contract or multiple contracts, reflecting COR duties assigned.\xe2\x80\x9d\n\n                 During the COR focus group, several focus group members stated they were\n                 overwhelmed and rarely had time to complete their COR responsibilities.\n                 The C-FRAM Team requested copies of each CORs\xe2\x80\x99 performance objectives.\n                 Of the three performance objectives reviewed, none had a separate performance\n                 element reflecting COR duties assigned. Failing to ensure COR performance plans\n                 include a separate critical element describing COR responsibilities, increases\n                 the risk that this important oversight function will be undervalued and\n                 underperformed,              and      violates      NAVSEAINST           4200.17E,        \xe2\x80\x9cContracting        Officer\xe2\x80\x99s\n                 Representative,\xe2\x80\x9d May 13, 2013\n\n\n\n\n                 \t32\t\n                        GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (November 1999:\n                        Washington D.C.), pg. 8.\n\n\n\n\n132 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                   Appendixes\n\n\nThe C-FRAM Team was informed that Code 400 annually assesses COR files.\nThese assessments take place between April and June.                    COR supervisors provide\nperformance feedback in either March or October, depending on the CORs\xe2\x80\x99\npay plan.           Therefore, the official performance feedback provided to CORs is on\na 3-month to 11-month lapse from the time of performance.\n\n\nConclusion\nThe team assessed CMD\xe2\x80\x99s tone from the top as marginally ineffective. A majority\nof the focus group members could not recall the last time the Commanding\nOfficer discussed ethical behavior nor could they state the Commanding Officer\xe2\x80\x99s\nopinion on fraud, waste, abuse, and mismanagement. Further, failing to ensure\nthat employees are properly rated on their oversight functions, such as COR\nresponsibilities, indicates that this function is not valued by management.\nThese factors, taken as a whole, imply a negative tone from the top on oversight.\n\n\nControl Activities\nCost mischarging is a fraud scheme in which a contractor intentionally submits\nfalse or inflated invoices to the government. Cost mischarging is differentiated from\nerroneous billing by the fact that inappropriate charges for cost mischarging are\nintentional. Proper cost monitoring and COR surveillance mitigates both the risk\nof cost mischarging and erroneous billing.\n\nNAVSEA Office of the Inspector General reviewed the CMD\xe2\x80\x99s service contracting\nprocess, to include Professional Support33 and Multi-Ship\xe2\x80\x85/\xe2\x80\x85Multi-Option (MSMO)\ncontract processes. CMD contracting staff and Shipbuilding Specialists stated that\nthe bulk of CMD\xe2\x80\x99s contracting is done via MSMO contracts.                   MSMO contracts use\nan incentive fee to ensure taxpayers receive good value for dollars allocated to the\ncontract. The incentive fee awards the contractor for completing work under the\nagreed estimate of costs.                   For the incentive fee methodology to work properly,\nthe government must ensure the contractor does not over-inflate its estimates.\nOver-inflated contractor estimates increase NAVSEA\xe2\x80\x99s risk of cost mischarging\nschemes and erroneous billings.\n\n\n\n\n\t33\t\n       CMD\xe2\x80\x99s support service contracts are under other CMD\xe2\x80\x99s warrant.\n\n\n\n\n                                                                                             DODIG-2014-094 \xe2\x94\x82 133\n\x0cAppendixes\n\n\n                 During our review, the C-FRAM Team discussed the CMD\xe2\x80\x99s processes for ensuring\n                 that proper work estimates are provided in a timely manner. The members of the\n                 contract specialist/officer focus group unanimously stated that the Independent\n                 Government Estimates (IGE) were unusable because they lacked any detail or\n                 substantiation. The Technical Assessment Review (TAR) Team echoed these\n                 concerns and stated that the IGE is sometimes numbers without any explanation.\n                 Further, the TAR Team stated that the Fleet would frequently either change or\n                 add new work at the last minute, which gives the TAR group insufficient time\n                 to ensure that the contractor estimate is not over-inflated and is otherwise\n                 accurate.   For example, one contractor Variance Analysis Worksheet explained\n                 a 75\xc2\xa0 hour underrun by stating \xe2\x80\x9cResources allocated for the beginning of the job\n                 overestimated the level of effort required based upon historical risk analysis.\n                 Based on current work progress, expect full utilization of remaining resources\n                 to provide oversight as work pace increases.\xe2\x80\x9d The Worksheet went on to explain\n                 \xe2\x80\x9cResource loading in the schedule will be adjusted to reflect where level of effort\n                 will be needed.\xe2\x80\x9d So, the contractor overestimated the number of hours needed\n                 to do the job, and the government did not catch the overestimation.\n\n                 Another Variance Analysis Worksheet explained a 35% variance with the following:\n\n                         \xe2\x80\x9cReasons for schedule variance are as follows:\n\n                         \xe2\x80\xa2\t Work stopped while the contractor considered subcontracting this work\n                             item out.    When work resumed by the contractor, a Quality Control\n                             inspection of the door found a failed chalk test, and work was\n                             stopped again.\n\n                         \xe2\x80\xa2\t Unplanned costs for repairing the door and frame of about 200 hours\n                             are starting to impact the estimate at completion cost.\n\n                         \xe2\x80\xa2\t Slow and poor workmanship has impacted the hours of this work item.\xe2\x80\x9d\n\n                 Yet another Variance Analysis Report explained a 305.11% variance, totaling 1,481.5\n                 additional hours. Of the 1,481.5 hours, approximately 500 hours were due to\n                 \xe2\x80\x9cThe Contractor Shipyards welder and shipfitter inefficiencies.\xe2\x80\x9d These Variance\n                 Analysis Worksheets indicate the contractor cost control incentives built into\n                 this contract are not working. Further, the vague and non-descriptive explanations\n                 limit the government\xe2\x80\x99s ability to improve its estimation process; or identify\n                 potential fraud, waste, abuse, and mismanagement.\n\n\n\n\n134 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                                 Appendixes\n\n\nConclusion\nThe team assessed the CMD\xe2\x80\x99s fraud, waste, abuse, and mismanagement control\nactivities as ineffective.             By failing to ensure the contractor has not overinflated\nits estimates and that the contractor provided detailed explanations for cost\nvariances, the CMD increased NAVSEA\xe2\x80\x99s risk of cost mischarging, fraud, waste,\nabuse, and mismanagement.\n\n\nMonitoring\nInternal control should generally be designed to ensure that ongoing monitoring\noccurs in the course of normal operations. It is performed continually and is\ningrained in the agency\xe2\x80\x99s operations. It includes regular management and\nsupervisory activities, comparisons, reconciliations, and other actions people take in\nperforming their duties.34\n\nDuring our contracting specialist/officer focus group, the C-FRAM Team was\ninformed that the number one factor affecting their ability to ensure good value\nfor the taxpayer dollar was the fact that the work packages continued to change\nthroughout the contract negotiation process. According to the Joint Fleet Forces\nMaintenance (JFFM) Schedule, changes are supposed to stop at a certain date to\ngive the TAR group sufficient time to analyze the requirements and to give the\ncontracting specialist/officer sufficient time to properly negotiate with the\ncontractor. But according to the focus group members this schedule is not being\nrespected. During the meeting, the C-FRAM Team requested data supporting these\nclaims.        Further, the C-FRAM Team interviewed the TAR group and the Contract\nDepartment management asking about metrics on these claims. We were informed\nthat no such metrics exist.\n\nThe CMD uses several other contracting commands to obtain services and materials.\nDuring the review the C-FRAM Team was informed that the CMD Contracting\nDepartment has little to no visibility over the money put on these contracts and\nthe work performed by these contractors. As these contracts are not let on\na NAVSEA warrant, they are not the CMD Contracting Department\xe2\x80\x99s responsibility.\nHowever, if the CMD does not have an internal control to ensure a Statement\nof Work (SOW) to SOW comparison, then the CMD is at risk for contract-shop\n\n\n\n\n\t34\t\n       GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (November 1999:\n       Washington D.C.), pg 20.\n\n\n\n\n                                                                                                           DODIG-2014-094 \xe2\x94\x82 135\n\x0cAppendixes\n\n\n                 shopping,35 duplicative services fraud schemes,36 and waste. The CMD does not\n                 have regular and recurring command metrics on CMD funds transferred to other\n                 commands for contractual services. The C-FRAM Team asked the CMD Finance\n                 Department about funds going to other contracting shops, specifically, the CMD\n                 Contracting Department. The CMD Finance Department provided a \xe2\x80\x9c50/50\xe2\x80\x9d report\n                 that listed, amongst other things, amounts obligated by the Contracting Department\n                 to other commercial shipyards.\n\n                 During our focus groups and follow-up interviews, the team noted the CMD COR\n                 workload was unevenly distributed, especially, at another detachment. The vast\n                 majority of the CORs we interviewed at the CMD Headquarters were COR on one\n                 or two contracts; however, the CORs at CMD detachments were COR on up to\n                 eight contracts. Most concerning was an individual that was COR on seven cost-plus\n                 type contracts and one fixed price contract. This same individual was also the\n                 project manager on multiple availabilities. We followed up with the COR\n                 Certification Manager (CCM) to determine the root cause of the uneven\n                 distribution in workload. The CCM stated (1) that he was new to the seat and\n                 working to get a previously semi-dormant program back up to full speed; and\n                 (2) there are limited CORs available at the detachments.\n\n\n                 Conclusion\n                 The team assessed the CMD\xe2\x80\x99s monitoring efforts as marginally ineffective.\n                 The CMD\xe2\x80\x99s ineffective distribution of COR workload, increases the risk these\n                 oversight functions will not be performed and increases the risk of fraud, waste,\n                 abuse, and mismanagement.\n\n\n                 Recommendations\n                 To address our finding that the CMD could improve its tone from the top, the team\n                 recommends that the CMD:\n\n                            1.\t     Develop a means to communicate the Commanding Officer\xe2\x80\x99s message on\n                                    fraud, waste, abuse, and mismanagement to CMD contract oversight\n                                    personnel, which includes but is not limited to, CORs, contract specialists,\n                                    and contracting officers.\n\n                 \t35\t\n                        ther contract CMDs do not require the stringent COR oversight described under NAVSEAINST 4200.17, \xe2\x80\x9cContracting\n                        Officer\xe2\x80\x99s Representative,\xe2\x80\x9d May 13, 2013\n                 \t36\t\n                        A duplicative services fraud scheme occurs when an individual contracts with the first contractor to actually do the work\n                        and then contracts with a second contractor that bills the government for the same work. The individual then receives\n                        some kickback from the second contractor.\n\n\n\n\n136 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                    Appendixes\n\n\nTo address our finding that the CMD failed to follow NAVSEAINST 4200.17E,\n\xe2\x80\x9cContracting Officer\xe2\x80\x99s Representative,\xe2\x80\x9d May 13, 2013, the CMD is required to:\n\n      2.\t     Ensure that all CORs have separate performance objectives describing\n              their COR responsibilities.\n\nTo address our finding that the CMD\xe2\x80\x99s internal controls were ineffective, the team\nrecommends that the CMD:\n\n      3.\t     Ensure that IGEs contain sufficient detail to give contracting officers and\n              specialists the information they need to effectively negotiate with the\n              contractor; and\n\n      4.\t     Develop a means to get meaningful explanations for contractor\n              cost variances.\n\nTo address our finding that the CMD could improve its methods for monitoring\ninternal controls, the team recommends the CMD:\n\n      5.\t     Develop metrics that track (1) the timeliness of work changes on\n              scheduled availabilities; and (2) the true cost of those changes, which\n              includes but is not limited to, dollars spent on planning work that is\n              descoped and price differences for new work added late in the process;\n\n      6.\t     Develop a process that ensures the CMD Contracting Department is given a\n              \xe2\x80\x9cright of first refusal\xe2\x80\x9d for all contracts funded by the CMD; and\n\n      7.\t     Evenly distribute COR workload at the CMD and all detachments.\n\nC-FRAM\xe2\x80\x99s assessment of the organization\xe2\x80\x99s tone at the top, control activities and\nongoing monitoring efforts related to mitigating the risk of contract fraud, waste,\nabuse, and mismanagement are illustrated in Table H.               Ratings of ineffective or\neffective are applied to summarize the review results.\n\nTable H. C-FRAM\xe2\x80\x99s Assessment of the Reviewed Organization\n\n                           Ineffective                                            Effective\n\n Tone from the Top\n                                            \xc3\xbc\n Control Activities\n                                \xc3\xbc\n Monitoring\n                                            \xc3\xbc\n\n                                                                                              DODIG-2014-094 \xe2\x94\x82 137\n\x0cAppendixes\n\n\n                 Appendix I\n                 Procurement Fraud Personality Risk Profiles\n                 Similar to the Fraud Triangle model, specific personality risk profiles37 were developed\n                 to describe procurement fraudsters. These six personality risk profiles can be\n                 placed into three categories: the Procurement Fraudsters, the Procurement Abusers,\n                 and Procurement Non-Compliance Employees. Each one of the six personalities\n                 created a different risk or vulnerability to organizations. The six personality risk\n                 profiles are:\n\n                                 \xe2\x80\xa2\t Situational Fraudster\n\n                                 \xe2\x80\xa2\t Deviant Fraudster\n\n                                 \xe2\x80\xa2\t Business Abuser\n\n                                 \xe2\x80\xa2\t Multi-Interest Abuser\n\n                                 \xe2\x80\xa2\t Well-Intentioned Noncompliance Employee\n\n                                 \xe2\x80\xa2\t Disengaged Noncompliance Employee\n\n                 While the Fraudsters and Abusers of the procurement process create a direct\n                 financial           loss,     or     damage          the     organization\xe2\x80\x99s           reputation,          or     cause       media\n                 embarrassment, the Noncompliance employees create unnecessary exposure to\n                 fraud, litigation, and wasted resources and funds. However, the most concerning\n                 is that the Noncompliance employees open the door and create new opportunities\n                 for fraudsters, which is why the vulnerabilities they create need to be taken seriously.\n\n                 Situational Fraudster\n                 The Situational Fraudster is very similar to the traditional fraudster. This\n                 employee appears to be frustrated at work; has rationalized their right to an illegal\n                 enrichment; and perpetrates the fraud scheme when the right occasion occurs,\n                 usually because of weak internal controls. When the Situational Fraudster is caught,\n                 other employees are not surprised that the individual was involved in the fraud.\n\n\n\n\n                 \t 37\t\n                         Tom Caulfield, Executive Director, CIGIE, Training Institute, \xe2\x80\x9cProcurement Integrity\xe2\x80\x99s Integrated Controls vs. the Fraudster,\xe2\x80\x9d\n                         May 2013, to be published at a future date.\n\n\n\n\n138 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                         Appendixes\n\n\nDeviant Fraudster\nThe Deviant Fraudster is the most serious threat to the organization because they\ncause the most damage. They are always proactive in their search for opportunities\nto commit fraud; possibly perceived as one of the company\xe2\x80\x99s hardest workers or\nbest contractors; and carry the \xe2\x80\x9cveil of trust\xe2\x80\x9d from others within the organization.\nThis employee has a strong group of advocates who deny assertions that the\nfraudster is involved with any wrongdoing. The Deviant Fraudster, when internal\nto an organization, was also the employee that took only a few days of leave each\nyear and seems to have their hand in every process within their business unit.\nThis person is sometimes described as a \xe2\x80\x9cwheeler-dealer.\xe2\x80\x9d\n\nWhen comparing the Situational Fraudster and the Deviant Fraudster, the\nSituational Fraudster is far more prevalent in any contract, but the losses are\nmuch less; normally under a hundred thousand dollars. However, if the Deviant\nFraudster successfully bribes an official to allow fraudulent billing submissions\nwith a promise of kickbacks, or a contractor implements a fraudulent cost\naccounting scheme, the losses could be in the millions of dollars.\n\nBusiness Abuser\nMost published articles or classes on procurement fraud discuss the Situational or\nDeviant Fraudsters, however, additional vulnerabilities are created by other\npersonality types. For example, the Business Abuser is the person that committed\nan inappropriate act that on its face seems to benefit the organization and not\nthemselves. However, in reality, the Business Abuser commits the fraud to increase\ntheir standing within the organization, as someone that could continuously increase\nbusiness and generate revenues. In general, this employee is looking to enhance\ntheir financial position in yearly bonuses, awards, or incentive pay.\n\nThe Business Abuser may inappropriately shift cost between contracts to make\ntheir unit appear better managed than it really is; or will bypass required quality\ncontrol steps to ensure more timely or early deliverables. The Business Abuser is\nfound in organizations with unrealistic operational demands perceived by the\nworkforce, or when product delivery is emphasized above everything. The employee\nrationalizes their inappropriate actions as entitlement because it is linked to\nmission success. This individual places a great deal of difficulty for prosecution as\nthe fraud investigator has to demonstrate with sufficient evidence that the fraud\nwas done knowingly, and to receive monetary compensation in the future.\n\n\n\n\n                                                                                   DODIG-2014-094 \xe2\x94\x82 139\n\x0cAppendixes\n\n\n                 Multi-Interest Abuser\n                 The Multi-Interest Abuser is the person that manipulates the procurement process\n                 to advance their own interests and the interests of another person. This is not\n                 done to obtain any financial advantage, but instead to help a friend secure a contract,\n                 or to ensure that an award goes to a desired contractor, or to help family members.\n                 The Multi-Interest Abuser is the person who drafted contract specifications for\n                 a specific contractor; or who embellished the need for a sole source justification\n                 to avoid the competitive process; or who slanted technical specifications to a\n                 specific bidder. The Multi-Interest Abuser is not motivated by any direct financial\n                 compensation, but raises significant risk to an organization in contract protests or in\n                 potential payment of higher costs because the competitive process is circumvented.\n                 Clearly, if the inappropriate actions of this person were motivated for personal\n                 financial gain, this person would be categorized as a Procurement Fraudster and not\n                 an abuser.\n\n                 The next two personality risk profiles are rarely talked about during fraud courses,\n                 but present a risk to the organization that is harder to identify than the Fraudster\n                 or Abuser. These last two risk profiles fall into the category of the Procurement\n                 Noncompliance Employees.\n\n                 Well-Intentioned Noncompliance Employee\n                 The Well-Intentioned Noncompliance Employee believes that their deviation from\n                 the procurement process does not harm the organization. As a matter of fact,\n                 they sometimes believe they are helping the organization in obtaining greater\n                 efficiency   or   obtaining   better   services.   The   self-described   well-intentioned\n                 non-compliance employee is normally an employee who has been with the\n                 organization for several years and has a good working knowledge of procurement\n                 processes or requirements and therefore knows how to advance their idea of\n                 efficiency. This is the employee who will not identify to the procurement division\n                 the true scope of a requirement to ensure the contract remains under a particular\n                 dollar threshold thereby allowing the award to be expedited (split purchase).\n                 This is also the employee who knows what key descriptions in an organizational\n                 purchasing document to use, or not to use, to avoid any additional procurement\n                 steps. This Well-Intentioned Noncompliance employee is found in organizations\n                 that allow low-dollar purchases without approval from an independent department\n                 or the purchasing department, or, organizations with limited checking on\n                 compliance with their procurement processes. This person\xe2\x80\x99s actions, similar to the\n                 Multi-Interest Abuser, raises the risk of contract protests, or in potentially paying\n\n\n\n\n140 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                     Appendixes\n\n\nhigher than needed cost for items due to the absence of a fair and open\ncompetitive process.\n\nDisengaged Noncompliance Employee\nThe Disengaged Noncompliance Employee is the one who puts little or minimal\neffort into a specific procurement step. This person will not verify a contractor\xe2\x80\x99s\nbond, or not examine a contractor\xe2\x80\x99s past performance record, or not confirm a\ncontractor\xe2\x80\x99s deliverable prior to approving payment. The actions, or lack of actions,\nby the disengaged person is the byproduct of a disgruntled or dissatisfied employee.\n\nCase study examples of a DoD Multi-Interest Abuser and Situational Fraudster are\ndiscussed in Figures I-1 and I-2.\n\nFigure I-1. Contracting Scheme\n\n\n                            The DoD Multi-Interest Abuser\n                        Service Member Contracting Scheme\n\n   Case Facts \xe2\x80\x93 A service member misused their position as Chief Contracting\n   Officer at an overseas location. The individual steered military contracts to a\n   company owned by their family. In one scheme, the family business received\n   over $30,000 in a prearranged contract to purchase military equipment.\n   Over time, the family\xe2\x80\x99s profits exceeded 3 million dollars.\n\n   A plea agreement revealed that the service member exploited a partnership\n   with a contractor by guiding work to their company. As part of the arrangement,\n   the contracting company steered significant portions of certain contracts to\n   the family operated business. Because of their position, the service member\n   was the only family member that was knowledgeable about government\n   contracting processes, which government contracts were likely to be awarded to a\n   competitor, and which government contracts were previously awarded to\n   competing businesses.\n\n   Outcome \xe2\x80\x93 The service member was charged with conflict of interest and\n   sentenced to 30 months in prison for public bribery. In exchange for his guilty plea, the\n   family members were not prosecuted.\n\n\n\n\n                                                                                               DODIG-2014-094 \xe2\x94\x82 141\n\x0cAppendixes\n\n\n                 Figure I-2. Civilian Bribery Scheme\n\n\n                                                 The DoD Situational Fraudster\n                                           Former DoD Civilian Sentenced for Bribery\n\n                       Case Facts \xe2\x80\x93 A DoD civilian was responsible for placing orders with local\n                       vendors for industrial supplies and cleaning agents. They initially accepted\n                       gifts   such   as    college    basketball   tickets   and   video   game   systems   in\n                       exchange for placing orders through a local vendor. Within six months, the\n                       employee increased orders of cleaning supplies by approximately $30,000.\n                       The unnecessary increases were made so the local vendor would contribute\n                       to their son\xe2\x80\x99s baseball team.\n\n                       Next, the employee and the vendor agreed to formalize their arrangement.\n                       The pair agreed that the employee would receive a cash payment equal to\n                       2.25% of the total amount of any order placed with the vendor. During a\n                       two week period, eight separate orders were placed totaling over $280,000.\n                       In exchange for placing these orders, the vendor paid the employee $6,800.\n                       However, the employee was greedy and complained that they were owed\n                       over $7,000 based upon the agreed rate of 2.25%.\n\n                       This arrangement continued for over a year.            Over time, the employee inflated\n                       numerous orders and, in exchange, was paid over $34,000 in gifts and cash\n                       from the local vendor.\n\n                       Outcome \xe2\x80\x93 The employee was sentenced to 30 months in prison for public bribery.\n\n\n\n\n142 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                                                                        Appendixes\n\n\nAppendix J\nOrganization Tool for Evaluating Fraud\nControl Program\nOrganizations are encouraged to use the checklist38 below as a tool for evaluating\nthe effectiveness of their fraud control program. The checklist is intended for\nillustrative purposes only. DoD organizations are encouraged to modify the checklist\nto suit their mission, size, complexity, and maturity of their fraud control program.\n\nFraud Control Governance Arrangements\n            1.\t     Does the entity have an effective and articulated fraud control framework\n                    in place?\n\n            2.\t     Does the entity have a central point of contact for fraud control within\n                    the entity?\n\n            3.\t     Does the Audit Committee have a role in overseeing the development\n                    and implementation of the fraud risk assessment and fraud control plan?\n\n            4.\t     Is information on the entity\xe2\x80\x99s values and code of conduct easily accessible\n                    to employees and included as part of its induction processes?\n\n            5.\t     Does the entity have a conflict of interest policy and is this easily\n                    accessible and understood by employees?\n\nFraud Prevention\n            6.\t     Has the entity undertaken a comprehensive fraud risk assessment in\n                    the previous two years, or following any significant change to the entity\n                    if earlier?\n\n            7.\t     In identifying the fraud risks, does the entity consider: the entity\xe2\x80\x99s\n                    role, size and function; any change in structure or function; external\n                    and internal fraud; new and emerging fraud risks; and the broader\n                    organizational risks?\n\n            8.\t     Has a fraud control plan been developed to minimize the impact and\n                    likelihood of identified risks?\n\n\n\n\t 38\t\n        Australian National Audit Office, \xe2\x80\x9cFraud Control in Australian Government Entities,\xe2\x80\x9d Better Practice Guide, March 2011.\n\n\n\n\n                                                                                                                                  DODIG-2014-094 \xe2\x94\x82 143\n\x0cAppendixes\n\n\n                       9.\t   Has a fraud policy been issued by the Chief Executive Officer outlining\n                             the entity\xe2\x80\x99s position on fraud?\n\n                       10.\t Do agreements with non-government service providers consider the\n                             applicable elements of the organization\xe2\x80\x99s Code of Conduct?\n\n                       11.\t Does the entity ensure that adequate employment screening procedures\n                             are implemented?\n\n                       12.\t Does the entity take steps to ensure the bona fides of new suppliers\n                             and customers and periodically confirm these?\n\n                       13.\t Does the entity ensure that adequate fraud awareness activities and\n                             training are conducted within the organization? This should also include\n                             external parties such as suppliers and customers.\n\n                       14.\t Does the entity have a formal process in place for communicating the\n                             outcomes of completed fraud investigations? Internal audit department to\n                             tailor and target fraud awareness activity and information.\n\n                 Fraud Detection\n                       15.\t Does the entity have a range of internal and external reporting\n                             mechanisms in place for parties to report suspected unethical behavior\n                             (including fraud)?\n\n                       16.\t Are the entity\xe2\x80\x99s reporting mechanisms easily accessible by internal and\n                             external parties?\n\n                       17.\t Does the entity use internal audit to actively review its detective\n                             control environment?\n\n                       18.\t Does the entity provide sufficient information to enable employees to\n                             recognize the possible \xe2\x80\x98red flags\xe2\x80\x99 or early warning signs of fraud activity?\n\n                       19.\t Does the entity require active fraud detection measures such as data\n                             mining or \xe2\x80\x98hot spot analysis\xe2\x80\x99??\n\n                 Monitoring, Evaluating and Reporting\n                       20.\t Are there effective reporting channels (internal and external) in place to\n                             ensure all reported instances of fraud are adequately monitored?\n\n                       21.\t Do the monitoring systems ensure appropriate accountability for\n                             fraud control?\n\n\n\n\n144 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                  Appendixes\n\n\n22.\t Is there a quality assurance review system in place to help identify\n     problems in all aspects of fraud control and its operations?\n\n23.\t Following an instance of fraud, does the entity review the work processes\n     subject to the fraud to determine whether changes were required to\n     existing processes, including processes relating to fraud risk assessment\n     and fraud prevention?\n\n\n\n\n                                                                            DODIG-2014-094 \xe2\x94\x82 145\n\x0cAppendixes\n\n\n                 Appendix K\n                 Suggested Reading\n                 \xe2\x80\xa2\t AICPA, \xe2\x80\x9cManagement Override of Internal Controls\xe2\x80\x9d, January 2005\n                       http://www.aicpa.org/_catalogs/masterpage/Search.\n                       aspx?S=management+override+of+internal+controls\n\n                 \xe2\x80\xa2\t Australian National Audit Office, \xe2\x80\x9cFraud Control in Australian Government\n                       Entities, Better Practice Guide\xe2\x80\x9d, March 2011\n                       http://www.anao.gov.au/Publications/Better-Practice-Guides/2010-2011/Fraud-\n                       Control-in-Australian-Government-Entities\n\n                 \xe2\x80\xa2\t American Accounting Association, \xe2\x80\x9cAuditors\xe2\x80\x99 Use of Brainstorming in the\n                       Consideration of Fraud: Reports from the Field,\xe2\x80\x9d Joseph F. Brazel, North Carolina\n                       State University, Tina D. Carpenter, University of Georgia, J Gregory Jenkins,\n                       Virginia Polytechnic Institute and State University, 2010\n                       http://papers.ssrn.com/sol3/papers.cfm?abstract_id=965453\n\n                 \xe2\x80\xa2\t Chartered Institute of Management Accountants,\xe2\x80\x99 \xe2\x80\x9cFraud risk management, A guide\n                       to good practice,\xe2\x80\x9d January 2009\n                       http://www.cimaglobal.com/Thought-leadership/Research-topics/Governance/Fraud-\n                       risk-management-a-guide-to-good-practice-/\n\n                 \xe2\x80\xa2\t Department of the Navy, Bureau of Medicine and Surgery, \xe2\x80\x9cNavy Medicine\n                       Anti-Fraud Program, Instruction 5370.4,\xe2\x80\x9d April 1, 2010\n                       http://www.med.navy.mil/directives/Pages/BUMEDInstructions.aspx\n\n                 \xe2\x80\xa2\t Grant Thornton, \xe2\x80\x9cManaging fraud risk: The audit committee perspective,\xe2\x80\x9d not dated.\n                       http://www.grantthornton.com/issues/library/articles/audit/2012/Audit-2013-06-\n                       Managing-fraud-risk-2012.aspx\n\n                 \xe2\x80\xa2\t IIA, AICPA, ACFE, \xe2\x80\x9cManaging the Business Risk of Fraud: A Practical Guide,\xe2\x80\x9d not dated.\n                       http://www.acfe.com/resource-library.aspx\n\n                 \xe2\x80\xa2\t Independent Commission Against Corruption\xe2\x80\x99s publication titled \xe2\x80\x9cFighting Fraud,\n                       Guidelines for State and Local Governments,\xe2\x80\x9d November 2002\n\n\n\n\n146 \xe2\x94\x82 DODIG-2014-094\n\x0c                                                                                           Appendixes\n\n\n   http://www.cmc.qld.gov.au/topics/misconduct/misconduct-prevention/major-risk-\n   areas/fraud-and-corruption\n\n\xe2\x80\xa2\t KPMG Forensic Practice, \xe2\x80\x9cFraud Risk Management, Developing Strategies for\n   Prevention, Detection, and Response,\xe2\x80\x9d 2006\n   http://www.informationweek.com/whitepaper/Business_Intelligence/\n   wp902902?articleID=902902\n\n\xe2\x80\xa2\t Pricewaterhouse Coopers, \xe2\x80\x9cHow principles-based risk assessment enables\n   organizations to take the right risks,\xe2\x80\x9d 2008\n   http://www.pwc.com/us/en/issues/enterprise-risk-management/publications/guide-\n   to-risk-assessment-risk-management-from-pwc.jhtml\n\n\xe2\x80\xa2\t United Kingdom, Department of Finance and Personnel, \xe2\x80\x9cAnti-Fraud Policy\n   Response Plan,\xe2\x80\x9d April 2011\n   http://www.dfpni.gov.uk/search.lsim?sb=0&qt=drug&sr=80&ha=dfp-cms&cs=iso-8859-\n   1&mt=1&nh=10&sc=&sm=0\n\n\xe2\x80\xa2\t DoD OIG, Fraud Investigative Resources\n   www.dodig.mil/resources/fraud/index.html\n   This online tool contains the following information: fraud scenarios and indicators,\n   GAGAS requirements for auditors, fraud knowledge tests, and links to additional\n   fraud resources.\n\n\n\n\n                                                                                     DODIG-2014-094 \xe2\x94\x82 147\n\x0cAcronyms and Abbreviations\n\n\n                 Acronyms and Abbreviations\n                                     AAA    Army Audit Agency\n                                   AAFES Army and Air Force Exchange Service, Audit Division\n                                   AAMC Association of American Medical Colleges\n                                    ACFE Association of Certified Fraud Examiners\n                                   AICPA American Institute of Certified Public Accountants\n                   C-FRAM NAVSEA OIG Contract Fraud Risk Assessment and Mitigation Branch, Naval Sea Systems\n                                     Command, Office of the Inspector General\n                                    CIGIE Council of the Inspectors General on Integrity and Efficiency,\n                                          Training Institute\n                                    CMD Command\n                                     COR Contracting Officer Representative\n                                     CSA Control Self-Assessment\n                                  DoD EA DoD Education Activity\n                                     DTS Defense Travel System\n                                      FA Family Assistance\n                                  GAGAS generally accepted government auditing standards\n                       Grant Thornton, LLP Grant Thornton\n                                       IA Internal Audit\n                                      IIA Institute of Internal Auditors\n                                     OIG Office of Inspector General\n                                MCNAFAS Marine Corps Nonappropriated Funds Audit Service\n                                 NAVSEA Naval Sea Systems Command\n                                NEXCOM Navy Exchange Service Command\n                               Texas Tech Texas Tech University System\n                                    USDA US Department of Agriculture\n\n\n\n\n148 \xe2\x94\x82 DODIG-2014-094\n\x0c            Whistleblower Protection\n           U.S. Department of Defense\nThe Whistleblower Protection Enhancement Act of 2012 requires\nthe Inspector General to designate a Whistleblower Protection\nOmbudsman to educate agency employees about prohibitions\non retaliation, and rights and remedies against retaliation for\nprotected disclosures. The designated ombudsman is the DoD Hotline\nDirector. For more information on your rights and remedies against\n     retaliation, visit www.dodig.mil/programs/whistleblower.\n\n\n\n\n   For more information about DoD IG\n  reports or activities, please contact us:\n                      Congressional Liaison\n               congressional@dodig.mil; 703.604.8324\n\n                             Media Contact\n                public.affairs@dodig.mil; 703.604.8324\n\n                        Monthly Update\n                dodigconnect-request@listserve.com\n\n                       Reports Mailing List\n                     dodig_report@listserve.com\n\n                               Twitter\n                         twitter.com/DoD_IG\n\n                           DoD Hotline\n                          dodig.mil/hotline\n\x0cD epartment of D efense \xe2\x94\x82 I nspector G eneral\n               4800 Mark Center Drive\n             Alexandria, VA 22350-1500\n                   www.dodig.mil\n           Defense Hotline 1.800.424.9098\n\x0c'